Hello Ferran,
My dev 1.0.1.1218 and latest maint-1.1 sites correctly display a 404 not
found page for either
/record/xxx/files/wp-whatever
/record/xxx/wp-whatever
/record/wp-whatever
without sending me an exception error
The same applies if wp-whatever is replaced by "../../etc/passwd" and
the likes.
I tried the same with cds.lib.auth.gr and it also displays a 404 error
(i don't know if an error is logged)
Hmmm...
Best regards,
Theodoros
On 25/4/2013 12:13 μμ, Ferran Jorba wrote:
Hello Samuele,
Is there any progress on this issue? Under 1.1 the missing pages
produce much more noise than the old mod_python.
sorry to come back to this issue only now. Indeed a fix for this has been
provided for maint-1.0 in:
commit 22f4e36755d7103e420da10968f60430ed797c26
Author: Samuele Kaplun <samuele.kap...@cern.ch>
Date: Fri Dec 7 15:06:46 2012 +0100
bibdocfile: better error report for unknown format
I've taken a look and it doesn't seem to me that it provides a fix for a
/index.php, /phpmyadmin.php, ../../../etc/passwd or /wp-whatever hits,
exceptions and subsequent mails that I'm constantly getting from our
Traces sistem since we are at 1.1. Under 0.99 old mod_python Invenio,
Apache handled those not-found, but now they are caught by wsgi Invenio,
causing those mail floods on my inbox.
commit 6d6e985c9abcf02bd85f9eb442e116547eb1f531
Merge: 35fae49 22f4e36
Author: Tibor Simko <tibor.si...@cern.ch>
Date: Thu Dec 20 10:53:36 2012 +0100
Merge branch 'maint-1.0' into maint-1.1
* maint-1.0:
bibdocfile: better error report for unknown format
I think you should be able to safely update to latest maint-1.1 in order to
benefit from this fix.
Again, after reading the patch I see it as if it only hanles
/record/x/file/whatever attacks, but not the others. Maybe I'm wrong.
So, I understand that we need a general solution to provide an (a) 404
not found to the attacker, and/or (b) a digested summary to the admin.
Aren't the other sites having this flood of attacks? I doubt we are the
only ones.
Thanks,
Ferran
