We've seen several instances of weird HTTP requests in the logs over time. Recently, that one was caught in the logs: 1496338081.111 502 /ga-IE/firefox/tag/.pdf?atype=9&cat=unexisting/../../../../../../../../../../windows/win.ini.\x5C.\x5C.\x5C.\x5C.\x5C.\x5C.\x5C.\x5C.\x5C.\x5C.\x 5C.\x5C.\x5C.\x5C.\x5C.\x5C.\x5C.\x5C.\x5C.\x5C.\x5C.\x5C.\x5C.\x5C.\x5C.\x5C.\x5C.\x5C.\x5C.\x5C.\x5C.\x5C.\x5C.\x5C.\x5C.\x5C.\x5C.\x5C.\x5C.\x5C.\x5C.\x5C.\x5C.\ x5C.\x5C.\x5C.\x5C.\x5C.\x5C.\x5C.\x5C.\x5C.\x5C.\x5C.\x5<snip>\x5C.\x5C&from=/he/firefox/tag/.pdf%3ffrom=/en-US/firefox/tag/.pdf&lang=bg&page=16&sort=created We should ban such requests entirely, they are never going to be legitimate. From that one we can enact 3 different rules: - Requests with a super long URL, say more than 2048 characters, should not be allowed. (That one has 6363 characters total) - Requests with more than 5 instance of "../" should not be allowed - Requests with more than 5 instances of "\" (\x5C) should not be allowed For those denied requests an appropriate error code should be returned instead of letting the request go through the app. I've just picked the limits arbitrarily, feel free to disagree :)
You need to log in before you can comment on or make changes to this bug.