app/controller/function&q=everythingyoucanthinkof . NEVER . EVER. EVER. build queries without proper escaping.
On Monday, September 12, 2016 at 3:12:50 PM UTC+2, Lisandro wrote: > > Hi there! > I have a simple view with a form (with GET method), in order to allow my > visitors to do some search. > The controller/function that processes the get is this: > > def search(): > session.forget(response) > query = "tsv @@ plainto_tsquery('%s')" % request.vars.q > total = db.executesql('SELECT COUNT(*) FROM contenido WHERE %s' % > query) > results = db(query).select() > return dict(results=results) > > As you can see, I use a tsv field to implement postgresql full text > search. The funcion is working ok. > But *yesterday, I had an attack attempt*, or something like that. In > just one hour, some robot sent a lot of queries to that URL, putting > "garbage" in the "q" parameter. > > How did I notice that? Well, *in just one hour around 500 error tickets > were created* in the /errors folder. All the errors have this form: > > - unterminated quoted string at or near > "'../../../../../../../../../../windows/win.ini" LINE 1: ...tsv @@ > plainto_tsquery('../../../... ^ > - unterminated quoted string at or near > "'1some_inexistent_file_with_long_name" LINE 1: ...tsv @@ > plainto_tsquery('1some_ine... ^ > - unterminated quoted string at or near > "'../../../../../../../../../../etc/passwd" LINE 1: ...tsv @@ > plainto_tsquery('../../../... ^ > - invalid byte sequence for encoding "UTF8": 0xf0 0x20 0x20 0xf0 > - invalid byte sequence for encoding "UTF8": 0xf6 0x22 0x20 0x6f > - invalid byte sequence for encoding "UTF8": 0xa0 > > > *I've already tried to use the search form with those query strings, but I > cannot reproduce the error.* > *How could the robot send those bytes to the query function?* > > Of course I can add a try: except: block, however I was wondering how to > reproduce the error, I wasn't able to do it. > Any help will be appreciated. > > Thanks in advance! > Regards, > Lisandro. > -- Resources: - http://web2py.com - http://web2py.com/book (Documentation) - http://github.com/web2py/web2py (Source code) - https://code.google.com/p/web2py/issues/list (Report Issues) --- You received this message because you are subscribed to the Google Groups "web2py-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to web2py+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.