Closed
Bug 675978
Opened 13 years ago
Closed 11 years ago
Internal Server Error 500 - Web_Service 0 while retrieving [...] which was HTTP status 404
Categories
(Socorro :: General, task)
Socorro
General
Tracking
(Not tracked)
VERIFIED
FIXED
People
(Reporter: stephend, Unassigned)
References
()
Details
(Whiteboard: [fuzzer])
Not sure if this is a duplicate or what, but: https://crash-stats-dev.allizom.org/query/query?query_type=http://example.com/%3f%0D%0Ans:%20netsparker056650=vuln&do_query=1&query=Find+Crash+ID+or+Signature throws the following exception, I'm told: 2011-08-02 09:27:13 -07:00 --- Web_Service 0 while retrieving http://socorro-api-dev-internal/bpapi/201105/search/signatures/product/Firefox/build/3/in/signature/search_mode/contains/for/..%252F..%252F..%252F..%252F..%252F..%252F..%252F..%252F..%252F..%252F..%252Fetc%252Fpasswd%00.php/crash_reason/3/to/2011-08-02+09%3A00%3A04/from/2011-07-26+09%3A00%3A04/report_type/hang/report_process/plugin/result_number/100/ which was HTTP status 404 (I hope that's the right one -- wish we could get these exceptions in an easier-to-digest/access format.)
|
||
Comment 1•13 years ago
|
||
(In reply to comment #0) > Not sure if this is a duplicate or what, but: > > https://crash-stats-dev.allizom.org/query/query?query_type=http://example. > com/%3f%0D%0Ans: > %20netsparker056650=vuln&do_query=1&query=Find+Crash+ID+or+Signature throws > the following exception, I'm told: > > 2011-08-02 09:27:13 -07:00 --- Web_Service 0 while retrieving > http://socorro-api-dev-internal/bpapi/201105/search/signatures/product/ > Firefox/build/3/in/signature/search_mode/contains/for/..%252F..%252F..%252F.. > %252F..%252F..%252F..%252F..%252F..%252F..%252F..%252Fetc%252Fpasswd%00.php/ > crash_reason/3/to/2011-08-02+09%3A00%3A04/from/2011-07-26+09%3A00%3A04/ > report_type/hang/report_process/plugin/result_number/100/ which was HTTP > status 404 > > (I hope that's the right one -- wish we could get these exceptions in an > easier-to-digest/access format.) The problem is that Apache will override everything and return a 404 if an encoded "/" is passed (this is a common attack technique), and we run middleware (socorro-api-internal) under mod_wsgi/apache. Here's the error from Apache's log: [Tue Aug 02 10:02:00 2011] [info] [client 10.2.74.61] found %2f (encoded '/') in URI (decoded='/bpapi/201005/adu/byday/p/Firefox/v/6.0a2;5.01;7.0a1/rt/hang/os/Linux/start/http://www.netsparker.com?/end/2011-08-01'), returning 404 If anything I think we should just make the frontend handle 404s (perhaps by returning a 404 itself).
|
Assignee | |
Updated•13 years ago
|
Component: Socorro → General
Product: Webtools → Socorro
|
||
Comment 2•11 years ago
|
||
No longer 500's. 400 bad request, instead.
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
|
Reporter | |
Comment 3•11 years ago
|
||
We now do indeed throw a 400: [10:52:52.815] GET https://crash-stats.allizom.org/query/?query_type=http://example.com/%3f%0D%0Ans:%20netsparker056650=vuln&do_query=1&query=Find+Crash+ID+or+Signature [HTTP/1.1 400 BAD REQUEST 1193ms]
Status: RESOLVED → VERIFIED
You need to log in
before you can comment on or make changes to this bug.
Description
•