Closed Bug 243764 Opened 21 years ago Closed 13 years ago

Trailing slashes cause unexpected errors

Categories

(Bugzilla :: Bugzilla-General, defect)

Product:
Bugzilla
Component:
Bugzilla-General
Type:
defect
Priority:
Not set
Severity:
minor

Tracking

()

Status:
RESOLVED FIXED
Milestone:
Bugzilla 4.4

People

(Reporter: timeless, Assigned: LpSolit)

References

(
URL
)

Details

Attachments

(1 file)

patch, v1
817 bytes, patch
dkl
: review+
Details | Diff | Splinter Review
1. load http://bugzilla.mozilla.org/enter_bug.cgi/ 2. select bugzilla 3. select creating/changing bugs 4. enter the url from 1. 5. enter the summary "Trailing slashes cause ie to get very unhappy" 6. enter this comment. 7. include comments 7, 8 and 9 8. enter expected results 9. click submit expected results: bug filed actual results: http://bugzilla.mozilla.org/enter_bug.cgi/post_bug.cgi complete with the currently almost filed bug. note that at this point you can continue making changes and clicking submit. your bug will never be filed. when you're tired. open a normal bug reporting page and copy all the values.
Every browser I know will do that, not just IE. That's part of the HTTP standard. That's user error for putting a slash on the end of the URL. It'd be a pain in the butt to detect it and redirect you out of it, but I suppose it could be done. Is it worth it?
How did you get a URL with a trailing slash?
Arguably, the error is the web-server's - the URL timeless gives means "the default resource in a directory called enter_bug.cgi", and such a thing doesn't exist. Gerv
The real issue is why did http://bugzilla.mozilla.org/enter_bug.cgi/ load a page in the first place?
That's how CGI works. It's not the webserver's fault. An executable CGI file is treated as a directory to the end user, if there is additional pathname tacked on the end of it. The additional path beyond the name of the CGI itself is passed in on the PATH_INFO environment variable. The entire concept of how LXR works is built around this. :) Go take a look. :) The easiest thing for us to do to short-circuit this from our end would be to see if PATH_INFO contains anything in Bugzilla/CGI.pm and issue a 302 redirect back to the same URL without the extra path on the end if there's stuff in it.
I thought that there was extra apache config stuff for LXR. Can we turn this off via apache, or add a rewrite rule?
The only reason Apache needs extra config for Tinderbox is because the filename of the script doesn't end in .cgi, so we have to tell Apache to override that and treat it as a cgi anyway.
QA Contact: mattyt-bugzilla → default-qa
Status: UNCONFIRMED → NEW
Ever confirmed: true
Summary: Trailing slashes cause ie to get very unhappy → Trailing slashes cause unexpected errors
*** Bug 342842 has been marked as a duplicate of this bug. ***
Assignee: myk → create-and-change
Attached patch patch, v1Splinter Review
$ENV{PATH_INFO} can only be used to try to abuse Bugzilla or the browser as Bugzilla doesn't use it at all. To avoid unexpected behaviors or attacks, we should remove it from the URL entirely and resubmit the stripped URL.
Assignee: create-and-change → LpSolit
Status: NEW → ASSIGNED
Attachment #633798 - Flags: review?(glob)
Attachment #633798 - Flags: review?(dkl)
Severity: normal → minor
Component: Creating/Changing Bugs → Bugzilla-General
OS: Windows XP → All
Hardware: x86 → All
Target Milestone: --- → Bugzilla 4.4
Comment on attachment 633798 [details] [diff] [review] patch, v1 Review of attachment 633798 [details] [diff] [review]: ----------------------------------------------------------------- This patch breaks the REST extension I am working on which relies on path_info() to work properly. Is it possible to rework this patch to only redirect if path_info eq '/' or will that not fix the possible abuses originally proposed? dkl
(In reply to David Lawrence [:dkl] from comment #13) > This patch breaks the REST extension I am working on which relies on > path_info() to work properly. Is it possible to > rework this patch to only redirect if path_info eq '/' or will that not fix > the possible abuses originally proposed? This will not fix the abuses, see bugs marked as duplicates of this one.
(In reply to Frédéric Buclin from comment #12) > $ENV{PATH_INFO} can only be used to try to abuse Bugzilla or the browser as > Bugzilla doesn't use it at all. To avoid unexpected behaviors or attacks, we > should remove it from the URL entirely and resubmit the stripped URL. I've looked at the duplicate bugs and can't see any attacks. Do you have details on what security problems this may cause? We shouldn't break this without good cause. I can certainly see how it would be useful to the REST extension. Gerv
(In reply to Gervase Markham [:gerv] from comment #15) > I've looked at the duplicate bugs and can't see any attacks. Do you have > details on what security problems this may cause? Some investigation is needed, but it seems this causes bug 765430. Also, http://search.cpan.org/~markstos/CGI/lib/CGI.pm#path_info reports that: "NOTE: The Microsoft Internet Information Server is broken with respect to additional path information. If you use the Perl DLL library, the IIS server will attempt to execute the additional path information as a Perl script." The "additional path information as a Perl script" seems dangerous as I'm not sure how this could be used.
(In reply to Frédéric Buclin from comment #16) > "NOTE: The Microsoft Internet Information Server is broken with respect to > additional path information. If you use the Perl DLL library, the IIS server > will attempt to execute the additional path information as a Perl script." Can we then only do this cleansing if the webs server is detected to be IIS and otherwise leave it alone? I will need to override the Bugzilla/CGI.pm method in the REST extension if we go forward with this for all web servers and I would rather not do (and maintain) that. dkl
(In reply to David Lawrence [:dkl] from comment #17) > method in the REST extension Does your REST extension really need to have access to all .cgi scripts? How do you parse the URL?
(In reply to Frédéric Buclin from comment #18) > (In reply to David Lawrence [:dkl] from comment #17) > > method in the REST extension > > Does your REST extension really need to have access to all .cgi scripts? How > do you parse the URL? No. The REST extension has it's own entry point (rest.cgi) that need to have full access to the actual path_info data. If your patch could somehow use a blacklist and wipe out the path_info only for those cgis that would help me out in that case. dkl
A blacklist seems a bad idea as all scripts should be blacklisted by default. A whitelist would make more sense. But we cannot whitelist a script which is not in the source code by default. @glob: do you remember why you introduced "path_info => 1" in your patch for bug 38862 as we don't use it?
(In reply to Frédéric Buclin from comment #20) > @glob: do you remember why you introduced "path_info => 1" in your patch for > bug 38862 as we don't use it? if you're talking about redirect_to_urlbase, it's there to ensure the redirect changes just the urlbase; that function shouldn't alter anything else about the path. (In reply to Frédéric Buclin from comment #20) > A blacklist seems a bad idea as all scripts should be blacklisted by > default. A whitelist would make more sense. But we cannot whitelist a script > which is not in the source code by default. a whitelist with a hook.
The REST API will eventually be shipped with Bugzilla, I strongly suggest and recommend, and therefore this will be a short-term problem. Still, a hook also seems fine. Gerv
(In reply to Gervase Markham [:gerv] from comment #22) > The REST API will eventually be shipped with Bugzilla, I strongly suggest > and recommend, and therefore this will be a short-term problem. Still, a > hook also seems fine. I don't see how the REST API would change anything. None of the .cgi scripts understand nor use the path info. AFAIK, the REST API will point to a unique .cgi script, right?
(In reply to Frédéric Buclin from comment #23) > (In reply to Gervase Markham [:gerv] from comment #22) > > The REST API will eventually be shipped with Bugzilla, I strongly suggest > > and recommend, and therefore this will be a short-term problem. Still, a > > hook also seems fine. > > I don't see how the REST API would change anything. None of the .cgi scripts > understand nor use the path info. AFAIK, the REST API will point to a unique > .cgi script, right? REST uses the path info to determine what resource to load or action to take. For example for a client to access information about Bug 12345, it woudl typically use https://bugzilla.mozilla.org/rest.cgi/bug/12345 where here /bug/12345 is the path_info and is parsed to load bug 12345. Of course using Apaches mod_rewrite I clean it up some to be https://bugzilla.mozilla.org/rest/bug/12345 but the path_info is the same. There are many other variations of path_info to perform different tasks based also on request methods such as GET, POST, PUT, and DELETE but you get the idea. dkl
Comment on attachment 633798 [details] [diff] [review] patch, v1 Review of attachment 633798 [details] [diff] [review]: ----------------------------------------------------------------- r=dkl. I will have the REST extension workaround this by either utilizing mod_rewrite or by sub classing Bugzilla/CGI and overriding new(). dkl
Attachment #633798 - Flags: review?(dkl) → review+
Attachment #633798 - Flags: review?(glob)
Comment on attachment 633798 [details] [diff] [review] patch, v1 Review of attachment 633798 [details] [diff] [review]: ----------------------------------------------------------------- ::: Bugzilla/CGI.pm @@ +57,5 @@ > # Make sure our outgoing cookie list is empty on each invocation > $self->{Bugzilla_cookie_list} = []; > > + # Path-Info is of no use for Bugzilla and interacts badly with IIS. > + # Moreover, it causes unexepected behaviors, such as totally breaking unexpected*
Pushing it in the approval queue for now. I have 200 bugmails to read first. :) I will clear the approval queue later today.
Flags: approval?
Flags: approval? → approval+
(In reply to David Lawrence [:dkl] from comment #25) > I will have the REST extension workaround this [...] Note that once REST is part of the core code, it will be trivial to append |if $script_name ne 'rest.cgi'| to the redirect, or something similar. Committing to: bzr+ssh://lpsolit%40gmail.com@bzr.mozilla.org/bugzilla/trunk/ modified Bugzilla/CGI.pm Committed revision 8297.
Status: ASSIGNED → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
Blocks: 783386
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: