Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

URI encode before passing to URI object to deal with pathological URIs #67

Merged
merged 1 commit into from
Mar 17, 2014
Merged

URI encode before passing to URI object to deal with pathological URIs #67

merged 1 commit into from
Mar 17, 2014

Conversation

tilthouse
Copy link
Contributor

We found an issue with pathological URLs causing rack-ssl-enforcer to blow up. Our Airbrake reported the following errors:

URI::InvalidURIError: bad URI(is not URI?): http://example.org/index.php?news7["functions"]=http://www.google.com/humans.txt?
URI::InvalidURIError: bad URI(is not URI?): http://example.org/[path]/mybic_server.php?file=http://www.google.com/humans.txt?
URI::InvalidURIError: bad URI(is not URI?): http://example.org/sys/code/box.inc.php?config["sipssys"]=http://www.google.com/humans.txt?
URI::InvalidURIError: bad URI(is not URI?): http://example.org/addvip.php?msetstr["PROGSDIR"]=http://www.google.com/humans.txt?
URI::InvalidURIError: bad URI(is not URI?): http://example.org/index.php?config["sipssys"]=http://www.google.com/humans.txt?
URI::InvalidURIError: bad URI(is not URI?): http://example.org/search/submit.php?config["sipssys"]=http://www.google.com/humans.txt?
URI::InvalidURIError: bad URI(is not URI?): http://example.org/readmore.php?config["sipssys"]=http://www.google.com/humans.txt?
URI::InvalidURIError: bad URI(is not URI?): http://example.org/search.php?config["sipssys"]=http://www.google.com/humans.txt?
URI::InvalidURIError: bad URI(is not URI?): http://example.org/BsiliX_path]/files/mbox-action.php3?BSX_LIBDIR=http://www.google.com/humans.txt?
URI::InvalidURIError: bad URI(is not URI?): http://example.org/[path]/previewtheme.php?theme=1&inc_path=http://www.google.com/humans.txt?cmd
URI::InvalidURIError: bad URI(is not URI?): http://example.org/[path]/previewtheme.php?theme=1&inc_path=cmdhttp://www.google.com/humans.txt?

I have added calls to URI.encode() everywhere I new URI object is created, which should fix the issue.

As an aside, I tried adding a test:

context 'problematic URI parsing' do
  setup { mock_app }
  should 'not raise an exception parsing crazy URIs' do
    get 'http://example.org/sys/code/box.inc.php?config["sipssys"]=http://www.google.com/humans.txt?'
    assert_equal 301, last_response.status
  end
end

However, this doesn't work well because the get call itself in the test blows up trying to parse the URI.

tobmatth added a commit that referenced this pull request Mar 17, 2014
@tobmatth
Merge pull request #67 from tilthouse/uri-parsing
1ef4515 
URI encode before passing to URI object to deal with pathological URIs
@tobmatth tobmatth merged commit 1ef4515 into tobmatth:master Mar 17, 2014
@tobmatth
Copy link
Owner

Thanks!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@tilthouse @tobmatth