Bug in WAAbstractFileLibrary
Locked
 
|
Hi there,
over the last few nights, our Seaside Application was bombarded with requests that were formed like this: /files/JQUiDeploymentLibrary/%29.find%28 The attacks did also try other javascript expressions. Unfortunately, WAAbstractFileLibrary reacts to this by throwing a primitive failed on VA Smalltalk in WAAbstractFileLibrary class>>#asSelector:, because the javascript expression cannot be interpreted as a filename. Here's an excerpt of our walkback that shows what's going on. String(Object)>>#primitiveFailed receiver = '' String>>#at: receiver = '' arg1 = 1 String(SequenceableCollection)>>#first receiver = '' JQUiDeploymentLibrary class(WAAbstractFileLibrary class)>>#asSelector: receiver = JQUiDeploymentLibrary arg1 = ').find(' temp1 = '' temp2 = nil JQUiDeploymentLibrary(WAAbstractFileLibrary)>>#asSelector: receiver = a JQUiDeploymentLibrary arg1 = ').find(' JQUiDeploymentLibrary(WAFileLibrary)>>#handle: receiver = a JQUiDeploymentLibrary arg1 = a WARequestContext url: '/files/JQUiDeploymentLibrary/%29.find%28' temp1 = ').find(' temp2 = nil temp3 = nil JQUiDeploymentLibrary class(WAAbstractFileLibrary class)>>#handle: receiver = JQUiDeploymentLibrary arg1 = a WARequestContext url: '/files/JQUiDeploymentLibrary/%29.find%28' I am on the road and have no pharo/seaside image with me, but if I remember correctly, pharo does not throw an exception when you ask an empty string for its #first character, I seem to remember it just returns nil. VA Smalltalk does throw an exception. It does not stop working, so this is not a critical problem. However, I think an additional check in #asSelector: wouldn't hurt because then the result is an http error code 404, which can either be returned to the client or removed by filters like mod_security. So here is a fix for WAAbstractFileLibrary class>>asSelector: that I suggest for inclusion in Seaside, even if it is unnecessary for Pharo: asSelector: aFilename | mainPart extension | mainPart := (aFilename copyUpToLast: $.) select: [ :each | each isAlphaNumeric ]. mainPart isEmptyOrNil ifTrue: [^nil]. [ mainPart first isDigit ] whileTrue: [ mainPart := mainPart allButFirst ]. extension := (aFilename copyAfterLast: $.) asLowercase capitalized. ^ (mainPart, extension) asSymbol Joachim _______________________________________________ seaside mailing list [hidden email] http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/seaside |
Re: Bug in WAAbstractFileLibrary
|
|
On Mon, Apr 14, 2014 at 6:01 AM, Joachim Tuchel <[hidden email]> wrote:
> Hi there, > > over the last few nights, our Seaside Application was bombarded with > requests that were formed like this: > > /files/JQUiDeploymentLibrary/%29.find%28 > > The attacks did also try other javascript expressions. > > Unfortunately, WAAbstractFileLibrary reacts to this by throwing a primitive > failed on VA Smalltalk in WAAbstractFileLibrary class>>#asSelector:, because > the javascript expression cannot be interpreted as a filename. > > Here's an excerpt of our walkback that shows what's going on. > > String(Object)>>#primitiveFailed > receiver = '' > String>>#at: > receiver = '' > arg1 = 1 > String(SequenceableCollection)>>#first > receiver = '' > JQUiDeploymentLibrary class(WAAbstractFileLibrary class)>>#asSelector: > receiver = JQUiDeploymentLibrary > arg1 = ').find(' > temp1 = '' > temp2 = nil > JQUiDeploymentLibrary(WAAbstractFileLibrary)>>#asSelector: > receiver = a JQUiDeploymentLibrary > arg1 = ').find(' > JQUiDeploymentLibrary(WAFileLibrary)>>#handle: > receiver = a JQUiDeploymentLibrary > arg1 = a WARequestContext url: '/files/JQUiDeploymentLibrary/%29.find%28' > temp1 = ').find(' > temp2 = nil > temp3 = nil > JQUiDeploymentLibrary class(WAAbstractFileLibrary class)>>#handle: > receiver = JQUiDeploymentLibrary > arg1 = a WARequestContext url: '/files/JQUiDeploymentLibrary/%29.find%28' > > I am on the road and have no pharo/seaside image with me, but if I remember > correctly, pharo does not throw an exception when you ask an empty string > for its #first character, I seem to remember it just returns nil. VA > Smalltalk does throw an exception. It does not stop working, so this is not > a critical problem. > > However, I think an additional check in #asSelector: wouldn't hurt because > then the result is an http error code 404, which can either be returned to > the client or removed by filters like mod_security. > > So here is a fix for WAAbstractFileLibrary class>>asSelector: that I suggest > for inclusion in Seaside, even if it is unnecessary for Pharo: > > asSelector: aFilename > | mainPart extension | > mainPart := (aFilename copyUpToLast: $.) > select: [ :each | each isAlphaNumeric ]. > > mainPart isEmptyOrNil ifTrue: [^nil]. > > [ mainPart first isDigit ] > whileTrue: [ mainPart := mainPart allButFirst ]. > extension := (aFilename copyAfterLast: $.) asLowercase capitalized. > ^ (mainPart, extension) asSymbol https://code.google.com/p/seaside/issues/detail?id=786 Cheers Philippe _______________________________________________ seaside mailing list [hidden email] http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/seaside |
Re: Bug in WAAbstractFileLibrary
|
|
In reply to this post by jtuchel
Hi Joachim,
Thank you for the report and the suggested fix. I think that returning a 404 rather than throwing an exception is indeed a good suggestion. In Pharo 3, at least, this also throws an exception (it is not ignored), so the behaviour is the same. But most importantly, I think you should not use a WAFileLibrary in production. Not really because of these problems, but because serving static files can be done way more efficiently by your front-end web server. best regards, Johan On 14 Apr 2014, at 06:01, Joachim Tuchel <[hidden email]> wrote: > Hi there, > > over the last few nights, our Seaside Application was bombarded with requests that were formed like this: > > /files/JQUiDeploymentLibrary/%29.find%28 > > The attacks did also try other javascript expressions. > > Unfortunately, WAAbstractFileLibrary reacts to this by throwing a primitive failed on VA Smalltalk in WAAbstractFileLibrary class>>#asSelector:, because the javascript expression cannot be interpreted as a filename. > > Here's an excerpt of our walkback that shows what's going on. > > String(Object)>>#primitiveFailed > receiver = '' > String>>#at: > receiver = '' > arg1 = 1 > String(SequenceableCollection)>>#first > receiver = '' > JQUiDeploymentLibrary class(WAAbstractFileLibrary class)>>#asSelector: > receiver = JQUiDeploymentLibrary > arg1 = ').find(' > temp1 = '' > temp2 = nil > JQUiDeploymentLibrary(WAAbstractFileLibrary)>>#asSelector: > receiver = a JQUiDeploymentLibrary > arg1 = ').find(' > JQUiDeploymentLibrary(WAFileLibrary)>>#handle: > receiver = a JQUiDeploymentLibrary > arg1 = a WARequestContext url: '/files/JQUiDeploymentLibrary/%29.find%28' > temp1 = ').find(' > temp2 = nil > temp3 = nil > JQUiDeploymentLibrary class(WAAbstractFileLibrary class)>>#handle: > receiver = JQUiDeploymentLibrary > arg1 = a WARequestContext url: '/files/JQUiDeploymentLibrary/%29.find%28' > > I am on the road and have no pharo/seaside image with me, but if I remember correctly, pharo does not throw an exception when you ask an empty string for its #first character, I seem to remember it just returns nil. VA Smalltalk does throw an exception. It does not stop working, so this is not a critical problem. > > However, I think an additional check in #asSelector: wouldn't hurt because then the result is an http error code 404, which can either be returned to the client or removed by filters like mod_security. > > So here is a fix for WAAbstractFileLibrary class>>asSelector: that I suggest for inclusion in Seaside, even if it is unnecessary for Pharo: > > asSelector: aFilename > | mainPart extension | > mainPart := (aFilename copyUpToLast: $.) > select: [ :each | each isAlphaNumeric ]. > > mainPart isEmptyOrNil ifTrue: [^nil]. > > [ mainPart first isDigit ] > whileTrue: [ mainPart := mainPart allButFirst ]. > extension := (aFilename copyAfterLast: $.) asLowercase capitalized. > ^ (mainPart, extension) asSymbol > > Joachim > > > > _______________________________________________ > seaside mailing list > [hidden email] > http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/seaside _______________________________________________ seaside mailing list [hidden email] http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/seaside |
|
|
In reply to this post by Philippe Marschall
Thanks Philippe!
Am 14.04.2014 um 09:52 schrieb Philippe Marschall <[hidden email]>: > On Mon, Apr 14, 2014 at 6:01 AM, Joachim Tuchel <[hidden email]> wrote: >> Hi there, >> >> over the last few nights, our Seaside Application was bombarded with >> requests that were formed like this: >> >> /files/JQUiDeploymentLibrary/%29.find%28 >> >> The attacks did also try other javascript expressions. >> >> Unfortunately, WAAbstractFileLibrary reacts to this by throwing a primitive >> failed on VA Smalltalk in WAAbstractFileLibrary class>>#asSelector:, because >> the javascript expression cannot be interpreted as a filename. >> >> Here's an excerpt of our walkback that shows what's going on. >> >> String(Object)>>#primitiveFailed >> receiver = '' >> String>>#at: >> receiver = '' >> arg1 = 1 >> String(SequenceableCollection)>>#first >> receiver = '' >> JQUiDeploymentLibrary class(WAAbstractFileLibrary class)>>#asSelector: >> receiver = JQUiDeploymentLibrary >> arg1 = ').find(' >> temp1 = '' >> temp2 = nil >> JQUiDeploymentLibrary(WAAbstractFileLibrary)>>#asSelector: >> receiver = a JQUiDeploymentLibrary >> arg1 = ').find(' >> JQUiDeploymentLibrary(WAFileLibrary)>>#handle: >> receiver = a JQUiDeploymentLibrary >> arg1 = a WARequestContext url: '/files/JQUiDeploymentLibrary/%29.find%28' >> temp1 = ').find(' >> temp2 = nil >> temp3 = nil >> JQUiDeploymentLibrary class(WAAbstractFileLibrary class)>>#handle: >> receiver = JQUiDeploymentLibrary >> arg1 = a WARequestContext url: '/files/JQUiDeploymentLibrary/%29.find%28' >> >> I am on the road and have no pharo/seaside image with me, but if I remember >> correctly, pharo does not throw an exception when you ask an empty string >> for its #first character, I seem to remember it just returns nil. VA >> Smalltalk does throw an exception. It does not stop working, so this is not >> a critical problem. >> >> However, I think an additional check in #asSelector: wouldn't hurt because >> then the result is an http error code 404, which can either be returned to >> the client or removed by filters like mod_security. >> >> So here is a fix for WAAbstractFileLibrary class>>asSelector: that I suggest >> for inclusion in Seaside, even if it is unnecessary for Pharo: >> >> asSelector: aFilename >> | mainPart extension | >> mainPart := (aFilename copyUpToLast: $.) >> select: [ :each | each isAlphaNumeric ]. >> >> mainPart isEmptyOrNil ifTrue: [^nil]. >> >> [ mainPart first isDigit ] >> whileTrue: [ mainPart := mainPart allButFirst ]. >> extension := (aFilename copyAfterLast: $.) asLowercase capitalized. >> ^ (mainPart, extension) asSymbol > > https://code.google.com/p/seaside/issues/detail?id=786 > > Cheers > Philippe > _______________________________________________ > seaside mailing list > [hidden email] > http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/seaside > seaside mailing list [hidden email] http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/seaside |
|
|
In reply to this post by Johan Brichau-2
Hi Johan,
you are right, I tried '' first in Pharo 2.0 and got a SubscriptOutOfBounds. I remember I had some other String operation that reacted differently in Pharo than in VAST. This was also related to some encoding/decoding problem. So I almost would've not told you about the problem because I was convinced you wouldn't see the problem on Pharo... So I am glad I did. You are, of course, perfectly right. I shouldn't use WAFileLibrary to serve things like JQuery. But you know how things are when you've got lots of other problems. Outsourcing that job to Apache is on my list, somewhere... down there ... ;-) I am not seeing any performance bottlenecks and the hassle of deploying my files to some directory and write a rewrite rule and stuff seems unjustified. And I like the thought that there is this last resort should I see performance problems ;-) Joachim Am 14.04.14 09:52, schrieb Johan Brichau: > Hi Joachim, > > Thank you for the report and the suggested fix. > I think that returning a 404 rather than throwing an exception is indeed a good suggestion. > In Pharo 3, at least, this also throws an exception (it is not ignored), so the behaviour is the same. > > But most importantly, I think you should not use a WAFileLibrary in production. > Not really because of these problems, but because serving static files can be done way more efficiently by your front-end web server. > > best regards, > Johan > > On 14 Apr 2014, at 06:01, Joachim Tuchel <[hidden email]> wrote: > >> Hi there, >> >> over the last few nights, our Seaside Application was bombarded with requests that were formed like this: >> >> /files/JQUiDeploymentLibrary/%29.find%28 >> >> The attacks did also try other javascript expressions. >> >> Unfortunately, WAAbstractFileLibrary reacts to this by throwing a primitive failed on VA Smalltalk in WAAbstractFileLibrary class>>#asSelector:, because the javascript expression cannot be interpreted as a filename. >> >> Here's an excerpt of our walkback that shows what's going on. >> >> String(Object)>>#primitiveFailed >> receiver = '' >> String>>#at: >> receiver = '' >> arg1 = 1 >> String(SequenceableCollection)>>#first >> receiver = '' >> JQUiDeploymentLibrary class(WAAbstractFileLibrary class)>>#asSelector: >> receiver = JQUiDeploymentLibrary >> arg1 = ').find(' >> temp1 = '' >> temp2 = nil >> JQUiDeploymentLibrary(WAAbstractFileLibrary)>>#asSelector: >> receiver = a JQUiDeploymentLibrary >> arg1 = ').find(' >> JQUiDeploymentLibrary(WAFileLibrary)>>#handle: >> receiver = a JQUiDeploymentLibrary >> arg1 = a WARequestContext url: '/files/JQUiDeploymentLibrary/%29.find%28' >> temp1 = ').find(' >> temp2 = nil >> temp3 = nil >> JQUiDeploymentLibrary class(WAAbstractFileLibrary class)>>#handle: >> receiver = JQUiDeploymentLibrary >> arg1 = a WARequestContext url: '/files/JQUiDeploymentLibrary/%29.find%28' >> >> I am on the road and have no pharo/seaside image with me, but if I remember correctly, pharo does not throw an exception when you ask an empty string for its #first character, I seem to remember it just returns nil. VA Smalltalk does throw an exception. It does not stop working, so this is not a critical problem. >> >> However, I think an additional check in #asSelector: wouldn't hurt because then the result is an http error code 404, which can either be returned to the client or removed by filters like mod_security. >> >> So here is a fix for WAAbstractFileLibrary class>>asSelector: that I suggest for inclusion in Seaside, even if it is unnecessary for Pharo: >> >> asSelector: aFilename >> | mainPart extension | >> mainPart := (aFilename copyUpToLast: $.) >> select: [ :each | each isAlphaNumeric ]. >> >> mainPart isEmptyOrNil ifTrue: [^nil]. >> >> [ mainPart first isDigit ] >> whileTrue: [ mainPart := mainPart allButFirst ]. >> extension := (aFilename copyAfterLast: $.) asLowercase capitalized. >> ^ (mainPart, extension) asSymbol >> >> Joachim >> >> >> >> _______________________________________________ >> seaside mailing list >> [hidden email] >> http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/seaside > _______________________________________________ > seaside mailing list > [hidden email] > http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/seaside > _______________________________________________ seaside mailing list [hidden email] http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/seaside |
«
Return to Seaside General
|
1 view|%1 views
| Free forum by Nabble | Edit this page |