Internal Server Error 500 - Web_Service 0 while retrieving [...] which was HTTP status 404

VERIFIED FIXED

Status

Socorro
General
--
critical
VERIFIED FIXED
7 years ago
5 years ago

People

(Reporter: stephend, Unassigned)

Tracking

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [fuzzer], URL)

(In reply to comment #0)
> Not sure if this is a duplicate or what, but:
> 
> https://crash-stats-dev.allizom.org/query/query?query_type=http://example.
> com/%3f%0D%0Ans:
> %20netsparker056650=vuln&do_query=1&query=Find+Crash+ID+or+Signature throws
> the following exception, I'm told:
> 
> 2011-08-02 09:27:13 -07:00 --- Web_Service 0 while retrieving
> http://socorro-api-dev-internal/bpapi/201105/search/signatures/product/
> Firefox/build/3/in/signature/search_mode/contains/for/..%252F..%252F..%252F..
> %252F..%252F..%252F..%252F..%252F..%252F..%252F..%252Fetc%252Fpasswd%00.php/
> crash_reason/3/to/2011-08-02+09%3A00%3A04/from/2011-07-26+09%3A00%3A04/
> report_type/hang/report_process/plugin/result_number/100/ which was HTTP
> status 404
> 
> (I hope that's the right one -- wish we could get these exceptions in an
> easier-to-digest/access format.)

The problem is that Apache will override everything and return a 404 if an encoded "/" is passed (this is a common attack technique), and we run middleware (socorro-api-internal) under mod_wsgi/apache.

Here's the error from Apache's log:

[Tue Aug 02 10:02:00 2011] [info] [client 10.2.74.61] found %2f (encoded '/') in URI (decoded='/bpapi/201005/adu/byday/p/Firefox/v/6.0a2;5.01;7.0a1/rt/hang/os/Linux/start/http://www.netsparker.com?/end/2011-08-01'), returning 404

If anything I think we should just make the frontend handle 404s (perhaps by returning a 404 itself).
(Assignee)

Updated

6 years ago
Component: Socorro → General
Product: Webtools → Socorro

Comment 2

5 years ago
No longer 500's. 400 bad request, instead.
Status: NEW → RESOLVED
Last Resolved: 5 years ago
Resolution: --- → FIXED
(Reporter)

Comment 3

5 years ago
We now do indeed throw a 400:

[10:52:52.815] GET https://crash-stats.allizom.org/query/?query_type=http://example.com/%3f%0D%0Ans:%20netsparker056650=vuln&do_query=1&query=Find+Crash+ID+or+Signature [HTTP/1.1 400 BAD REQUEST 1193ms]
Status: RESOLVED → VERIFIED
You need to log in before you can comment on or make changes to this bug.