Unhandled Exception from Long URL String With Many Character Types

VERIFIED FIXED in 1.1

Status

--
major
VERIFIED FIXED
8 years ago
3 years ago

People

(Reporter: mcoates, Assigned: davedash)

Tracking

Details

(Whiteboard: [infrasec:input], URL)

Issue

The following URL generates an Internal Server Error (unhandled exception).

(I just stumbled onto this site and performed a few basic checks. Will this site be submitted to infrasec for a security review? https://intranet.mozilla.org/SecurityReview/ReviewRequest)


Recommended Remediation

Perform input validation against the query value and do not process invalid input types.  Most likely you can limit the query values to [a-zA-Z0-9]. You may need to add in some special characters such as . - etc.  However, non-printable characters such as %00 through %1F can most likely be dropped.  In addition, a maximum length could be set for the q value.


http://input.mozilla.com/search/?q=%2500+%2501+%2502+%2503+%2504+%2505+%2506+%2507+%2508+%2509+%250A+%250B+%250C+%250D+%250E+%250F+%2510+%2511+%2512+%2513+%2514+%2515+%2516+%2517+%2518+%2519+%251A+%251B+%251C+%251D+%251E+%251F+%2520+%2521+%2522+%2523+%2524+%2525+%2526+%2527+%2528+%2529+%252A+%252B+%252C+%252D+%252E+%252F+%2530+%2531+%2532+%2533+%2534+%2535+%2536+%2537+%2538+%2539+%253A+%253B+%253C+%253D+%253E+%253F+%2540+%2541+%2542+%2543+%2544+%2545+%2546+%2547+%2548+%2549+%254A+%254B+%254C+%254D+%254E+%254F+%2550+%2551+%2552+%2553+%2554+%2555+%2556+%2557+%2558+%2559+%255A+%255B+%255C+%255D+%255E+%255F+%2560+%2561+%2562+%2563+%2564+%2565+%2566+%2567+%2568+%2569+%256A+%256B+%256C+%256D+%256E+%256F+%2570+%2571+%2572+%2573+%2574+%2575+%2576+%2577+%2578+%2579+%257A+%257B+%257C+%257D+%257E+%257F+%2580+%2581+%2582+%2583+%2584+%2585+%2586+%2587+%2588+%2589+%258A+%258B+%258C+%258D+%258E+%258F+%2590+%2591+%2592+%2593+%2594+%2595+%2596+%2597+%2598+%2599+%259A+%259B+%259C+%259D+%259E+%259F+%25100+%25101+%25102+%25103+%25104+%25105+%25106+%25107+%25108+%25109+%2510A+%2510B+%2510C+%2510D+%2510E+%2510F&product=firefox&version=3.6.4
Thanks for the bug, Michael. I just got the corresponding traceback via email, and could've guessed it was you ;)

As for the security review, let me send you the PRD so you know the basic interactions and can assess possible pain points. I'll also file a bug.
Assignee: nobody → fwenzel
Target Milestone: --- → 1.1
Assigning this to Dave Dash, though if this is not quasi-included in the search work, feel free to throw it back to me!
Assignee: fwenzel → dd
Depends on: 576535
The Sphinx branch just landed on trunk, and Sphinx does not suffer from this, unlike Whoosh. We'll close this when IT has set it up and it's working.
Status: NEW → RESOLVED
Last Resolved: 8 years ago
Resolution: --- → FIXED
verified FIXED on production with Sphinx
Status: RESOLVED → VERIFIED
Component: Input → General
Product: Webtools → Input
Group: webtools-security → websites-security
These bugs are all resolved, so I'm removing the security flag from them.
Group: websites-security
You need to log in before you can comment on or make changes to this bug.