bugzilla.mozilla.org will be intermittently unavailable on Saturday, March 24th, from 16:00 until 20:00 UTC.

Don't allow suspicious HTTP requests to go through



Cloud Services
Operations: AMO
10 months ago
10 months ago


(Reporter: mat, Unassigned)


Firefox Tracking Flags

(Not tracked)




10 months ago
We've seen several instances of weird HTTP requests in the logs over time. Recently, that one was caught in the logs:

1496338081.111 502 /ga-IE/firefox/tag/.pdf?atype=9&cat=unexisting/../../../../../../../../../../windows/win.ini.\x5C.\x5C.\x5C.\x5C.\x5C.\x5C.\x5C.\x5C.\x5C.\x5C.\x

We should ban such requests entirely, they are never going to be legitimate. From that one we can enact 3 different rules:
- Requests with a super long URL, say more than 2048 characters, should not be allowed. (That one has 6363 characters total)
- Requests with more than 5 instance of "../" should not be allowed
- Requests with more than 5 instances of "\" (\x5C) should not be allowed

For those denied requests an appropriate error code should be returned instead of letting the request go through the app.

I've just picked the limits arbitrarily, feel free to disagree :)
You need to log in before you can comment on or make changes to this bug.