[web2py] Re: Need help to understand (and reproduce) this error

Tue, 13 Sep 2016 02:52:26 -0700 

app/controller/function&q=everythingyoucanthinkof .

NEVER . EVER. EVER. build queries without proper escaping.

On Monday, September 12, 2016 at 3:12:50 PM UTC+2, Lisandro wrote:
>
> Hi there!
> I have a simple view with a form (with GET method), in order to allow my 
> visitors to do some search. 
> The controller/function that processes the get is this:
>
> def search():
>     session.forget(response)
>     query = "tsv @@ plainto_tsquery('%s')" % request.vars.q
>     total = db.executesql('SELECT COUNT(*) FROM contenido WHERE %s' % 
> query)
>     results = db(query).select()
>     return dict(results=results)
>
> As you can see, I use a tsv field to implement postgresql full text 
> search. The funcion is working ok.
> But *yesterday, I had an attack attempt*, or something like that.  In 
> just one hour, some robot sent a lot of queries to that URL, putting 
> "garbage" in the "q" parameter.
>
> How did I notice that? Well, *in just one hour around 500 error tickets 
> were created* in the /errors folder. All the errors have this form:
>
>    - unterminated quoted string at or near 
>    "'../../../../../../../../../../windows/win.ini" LINE 1: ...tsv @@ 
>    plainto_tsquery('../../../... ^
>    - unterminated quoted string at or near 
>    "'1some_inexistent_file_with_long_name" LINE 1: ...tsv @@ 
>    plainto_tsquery('1some_ine... ^ 
>    - unterminated quoted string at or near 
>    "'../../../../../../../../../../etc/passwd" LINE 1: ...tsv @@ 
>    plainto_tsquery('../../../... ^ 
>    - invalid byte sequence for encoding "UTF8": 0xf0 0x20 0x20 0xf0
>    - invalid byte sequence for encoding "UTF8": 0xf6 0x22 0x20 0x6f
>    - invalid byte sequence for encoding "UTF8": 0xa0
>    
>
> *I've already tried to use the search form with those query strings, but I 
> cannot reproduce the error.*
> *How could the robot send those bytes to the query function?*
>
> Of course I can add a try: except: block, however I was wondering how to 
> reproduce the error, I wasn't able to do it.
> Any help will be appreciated.
>
> Thanks in advance!
> Regards, 
> Lisandro.
>

-- 
Resources:
- http://web2py.com
- http://web2py.com/book (Documentation)
- http://github.com/web2py/web2py (Source code)
- https://code.google.com/p/web2py/issues/list (Report Issues)
--- 
You received this message because you are subscribed to the Google Groups 
"web2py-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to web2py+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Reply via email to