Skip to content
This repository has been archived by the owner on Feb 8, 2018. It is now read-only.

Handle requests for strange twitter usernames #1527

Closed
zbynekwinkler opened this issue Sep 30, 2013 · 3 comments
Closed

Handle requests for strange twitter usernames #1527

zbynekwinkler opened this issue Sep 30, 2013 · 3 comments

Comments

@zbynekwinkler
Copy link
Contributor

https://app.getsentry.com/gittip/gittip/group/6116674/

Stacktrace (most recent call last):

  File "aspen/website.py", line 76, in handle_safely
    response = self.handle(request)
  File "aspen/website.py", line 109, in handle
    response = request.resource.respond(request)
  File "aspen/resources/dynamic_resource.py", line 47, in respond
    exec self.pages[1] in context
  File "/app/www/on/twitter/%screen_name/index.html.spt", line 18, in <module>
    user_info = twitter.get_user_info(path['screen_name'])
  File "gittip/elsewhere/twitter.py", line 61, in get_user_info
    user_info = requests.get(url % screen_name, auth=oauth)
  File "requests/api.py", line 55, in get
    return request('get', url, **kwargs)
  File "requests/api.py", line 44, in request
    return session.request(method=method, url=url, **kwargs)
  File "requests/sessions.py", line 324, in request
    prep = req.prepare()
  File "requests/models.py", line 226, in prepare
    p.prepare_auth(self.auth, self.url)
  File "requests/models.py", line 428, in prepare_auth
    r = auth(self)
  File "requests_oauthlib/core.py", line 65, in __call__
    unicode(r.url), unicode(r.method), None, r.headers)
  File "oauthlib/oauth1/rfc5849/__init__.py", line 233, in sign
    encoding=self.encoding)
  File "oauthlib/common.py", line 365, in __init__
    self._params.update(dict(urldecode(self.uri_query)))
  File "oauthlib/common.py", line 135, in urldecode
    raise ValueError('Not a valid urlencoded string.')
  ValueError: Not a valid urlencoded string.

The request causing this is for /on/twitter/"><img src=x onerror=confirm("XSS");>/ and we use this twitter username for request to https://api.twitter.com/1.1/users/show.json?screen_name=%s without any escaping. Should we do urlencode on the twitter names? What does twitter allow in usernames?

@zbynekwinkler
Copy link
Contributor Author

Referencing #1521 to link these together.

@zbynekwinkler
Copy link
Contributor Author

We can also block this on #1369.

@Changaco
Copy link
Contributor

This was fixed in the elsewhere refactor (#1369).

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Projects
None yet
Development

No branches or pull requests

2 participants