I managed to have a string id domain with assigned generator, so the url to show/edit is /controller/action/alphanumeric_id.
It worked fine till I do vulnerabilities tests, so I found a problem when the id contain slashes (and backslash) even when encoded with %2F (and %5C) the browser gives 400 Bad Request error.
My mapping is the default one /$controller/$action?/$id? and I watched with a validator into the constraints to see what is going on, but the request not even arrive there when containing these characters.
If I access /controller/action/?id=alphanumeric_id all goes well, but I wonder if there is no way to continue using default short url.
EDIT:
Create a new grails application (mine is version 2.1.3);
Create a controller;
In any action do println params.id, if you want you can do so in UrlMapping too;
Try to access your controller by /appname/controller/action/abc, it goes fine;
Now try /appname/controller/action/a%2Fbc or /appname/controller/action/a%5Cbc, it gives 400 Bad Request;
Other combinations with %00 upto %FF should work as well, but not all of them does, by the way, %00 also do not work.
BUGGED COMBINATIONS: %00 %2F %5C
Related
I'm writing a plugin that keeps track of the pages that a user has visited in an application (for the purpose of a back button). It does this by having a filter that runs for every controller/action and keeps a list of visited pages. Everything is working great, except that when used in applications that use forwards, the plugin records two entries for the one page since Grails filters run on every request, even when that request is just a forward (ie: internal redirect).
Since this is a plugin (that has to be application agnostic) I can't simply set a flash variable whenever a forward is used to check if a forward has occurred. Is there any way to determine if a forward has occurred in a filter? I'm exploring the different values in the request variable and how they differ between a normal request and a forward, but things can get quite confusing. Any help is highly appreciated.
P.S. The main difference I noticed so far is that the request.forwardURI and request.requestURI differ for a forward, however, the requestURI is in a special format that I currently don't know how to convert to match the forwardURI.
For example for a normal request:
request.forwardURI = '/short-url' (as set in URLMappings) or '/controller/action
request.requestURI = '/grails/controller/action.dispatch'
For a forward:
request.forwardURI = '/short-url' (as set in URLMappings) or '/controller/action'
request.requestURI = '/grails/forwardedController/forwardedAction.dispatch'
If I add slash / to the parameter of a page, even in encoded form %2F I get an error.
Sample URL:
http://mywebsite.com/somepage?param=dfgdfg%2F
Error:
Input string 'dfgdfg/' is not valid; the character '/' at position 7 is not valid.
I am trying to pass whole URL as parameter (to later redirect user to that URL) so there are a lot of slashes in there.
Is this a bug? Is there any workaround?
I could theoretically replace all slashes with something else than %2F but that is something I would attempt after everything else fails...
As I've learned this happens on Jetty only, which I use for development...
This custom service override solved the problem:
http://tapestry.1045711.n5.nabble.com/Customising-T5-URL-Encoding-tp2412550p2412551.html
Looks very hacky but works :).
See the Web Services More example on the JumpStart page. Works for me on Jetty.
The JumpStart page has many "how-to-do-this-in-Tapestry" examples.
For complicated reasons I won't go into, we have some requests that come into our application for /blah/[**Token**] (this is literal, none of this is placeholders).
Currently we get errors from MVC saying it can't find an IController for this every time the request comes in.
We would like the request to either: a) 404 or b) serve up a static placeholder image.
Try as we might, we can't figure out how to escape these characters in an IgnoreRoute/Route call such that they are treated literally. Eg. we've tried:
IgnoreRoute("blah/\[\*\*Token\*\*\]")
IgnoreRoute("blah/[\*\*Token\*\*]")
But the problem still persists.
How do we escape this path, such that actual requests to blah/[**Token**] are ignored and result in 404 (or alternatively, how do we map this exact path to a static image)?
Note: We have edited web.config so that * is not a disallowed character. We can't (currently) easily change this incoming request path, we just want to stop our error logs filling up when it happens :-)
Use a route constraint like this
IgnoreRoute("{*constraint}", new { constraint = #".*\[\*\*ProductImageFile\*\*]" });
I'm trying to use Google Federated Login REST API. I can succesfully reach out to the google server and validate a user but I cannot pull parameters from the return url
for example:
http://mysite.com/login/return?openid.ns=http%3A%2F%2Fspecs.openid.net%2Fauth%2F2.0&openid.mode=id_res&openid.op_endpoint=https%3A%2F%2Fwww.google.com%2Faccounts%2Fo8%2Fud...
All the variables in that return string are not accessible in the params array. I have no idea how to get them out. requst.url, request.query_parameter, and all similar calls do not return the query string.
I think i found the issue. I was using the open-uri library to make the call to google's endpoint url so it may have been stepping outside of the normal rails response/request cycle. I've since used Net::HTTP requests and parse the information from the response.
So I have a very similar issue, where I'm actually building a Rails-based openid provider but being consumed by another Rails app. I basically adapted the code from
The whole URL was:
http://localhost:3000/openid?openid.assoc_handle=%7BHMAC-SHA1%7D%7B5193d33f%7D%7BdBrUwQ%3D%3D%7D&openid.claimed_id=http%3A%2F%2Flocalhost%3A3000%2Fopenid%2Fwarren&openid.identity=http%3A%2F%2Flocalhost%3A3000%2Fopenid%2Fwarren&openid.mode=checkid_setup&openid.ns=http%3A%2F%2Fspecs.openid.net%2Fauth%2F2.0&openid.ns.sreg=http%3A%2F%2Fopenid.net%2Fextensions%2Fsreg%2F1.1&openid.realm=http%3A%2F%2Flocalhost&openid.return_to=http%3A%2F%2Flocalhost%2Fsession%3F_method%3Dpost%26return_to%3D&openid.sreg.required=nickname%2Cemail
I had a similar problem where the only parameters being reported were:
{"action"=>"index", "controller"=>"openid"}
So, suspecting that some parameter (maybe a period?) was causing it to hiccup, I went through and deleted them one by one until I found that deleting the following parameter enables the entire thing to go through correctly:
openid.mode=checkid_setup
That left all the remaining parameters correctly being parsed:
{"openid.assoc_handle"=>"{HMAC-SHA1}{5193d33f}{dBrUwQ==}",
"openid.claimed_id"=>"http://localhost:3000/openid/warren",
"openid.identity"=>"http://localhost:3000/openid/warren",
"openid.ns"=>"http://specs.openid.net/auth/2.0",
"openid.ns.sreg"=>"http://openid.net/extensions/sreg/1.1",
"openid.realm"=>"http://localhost",
"openid.return_to"=>"http://localhost/session?_method=post&return_to=",
"openid.sreg.required"=>"nickname,email",
"action"=>"index",
"controller"=>"openid"}
I'm now trying to find why openid.mode causes this issue. It fails even if I change it to openid.mode=5, so it's the key, not the value, causing the problem.
Suspecting the ".mode" part of the string for the trouble (maybe ".mode" is a filetype or something being parsed by the routing?) I am looking towards this post on allowing periods, but it only applies to the value, not the key: rails routing and params with a '.' in them
Will report back if I find more.
Update: I tried, in another Rails app, adding ?openid.mode=0 to the end of a URL -- ".mode" does not result in a parameter being read, but ".modes=" does and so does ".mod=". This confirms that ".mode" is causing a params parsing error.
Update 2: yikes... actually "?a.mode=0" does work. So far, only the complete string "openid.mode" does not work, and this is across various Rails apps. "?openid.mode" with nothing else results in: Parameters: {"openid.mode"=>nil}, but "?openid.mode=" with nothing after the "=" fails to pass any parameters besides action & controller. Very odd.
Update 3: OK, figured it out, I believe -- the params were getting sanitized i.e. deleted by the rack-openid gem, in that gem's path: /lib/openid.rb:168, "sanitize_query_string". This seems to be incompatible with the example I was working with: https://github.com/openid/ruby-openid/tree/master/examples/rails_openid. Going to override that method.
Final update: I replaced this line:
oidreq = server.decode_request(params)
with this line, since we could no longer use the now-empty params hash:
oidreq = server.decode_request(Rack::Utils.parse_query(request.env['ORIGINAL_FULLPATH']))
Currently, when I try to hit certain pages of my site via something like http://www.domain.com/< (which is a valid URL), I get a blank page with the text "Bad Request" on it (and nothing else). This happens with both the escaped and unescaped version of the URL.
I'm fairly certain this is due to IIS6 not liking the < character (which, in general, is valid). Is there a way to stop IIS6 from filtering these characters and giving me this error page?
(I've found similar solutions for IIS7, but nothing has worked in IIS6 so far.)
UPDATE: The URL is being transformed already, ie. hitting domain.com/%3C will also give the "Bad Request" page.
Not sure if this will work, but this got me out of a similar jam caused by design types forgetting key parts of query strings. Sounds like you might have a similar issue. Anyhow, try making a virtual directory called %3c and then having that redirect to where appropriate.
RFC 1738:
Thus, only alphanumerics, the special characters "$-_.+!*'(),", and reserved characters used for their reserved purposes may be used unencoded within a URL.
< transforms to %3C
https://stackoverflow.com/<