app/controller/function&q=everythingyoucanthinkof .
NEVER . EVER. EVER. build queries without proper escaping.
On Monday, September 12, 2016 at 3:12:50 PM UTC+2, Lisandro wrote:
>
> Hi there!
> I have a simple view with a form (with GET method), in order to allow my
> visitors to do some search.
> The controller/function that processes the get is this:
>
> def search():
> session.forget(response)
> query = "tsv @@ plainto_tsquery('%s')" % request.vars.q
> total = db.executesql('SELECT COUNT(*) FROM contenido WHERE %s' %
> query)
> results = db(query).select()
> return dict(results=results)
>
> As you can see, I use a tsv field to implement postgresql full text
> search. The funcion is working ok.
> But *yesterday, I had an attack attempt*, or something like that. In
> just one hour, some robot sent a lot of queries to that URL, putting
> "garbage" in the "q" parameter.
>
> How did I notice that? Well, *in just one hour around 500 error tickets
> were created* in the /errors folder. All the errors have this form:
>
> - unterminated quoted string at or near
> "'../../../../../../../../../../windows/win.ini" LINE 1: ...tsv @@
> plainto_tsquery('../../../... ^
> - unterminated quoted string at or near
> "'1some_inexistent_file_with_long_name" LINE 1: ...tsv @@
> plainto_tsquery('1some_ine... ^
> - unterminated quoted string at or near
> "'../../../../../../../../../../etc/passwd" LINE 1: ...tsv @@
> plainto_tsquery('../../../... ^
> - invalid byte sequence for encoding "UTF8": 0xf0 0x20 0x20 0xf0
> - invalid byte sequence for encoding "UTF8": 0xf6 0x22 0x20 0x6f
> - invalid byte sequence for encoding "UTF8": 0xa0
>
>
> *I've already tried to use the search form with those query strings, but I
> cannot reproduce the error.*
> *How could the robot send those bytes to the query function?*
>
> Of course I can add a try: except: block, however I was wondering how to
> reproduce the error, I wasn't able to do it.
> Any help will be appreciated.
>
> Thanks in advance!
> Regards,
> Lisandro.
>
--
Resources:
- http://web2py.com
- http://web2py.com/book (Documentation)
- http://github.com/web2py/web2py (Source code)
- https://code.google.com/p/web2py/issues/list (Report Issues)
---
You received this message because you are subscribed to the Google Groups
"web2py-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
