798511 - Stripping or mal-forming args (leaving out delimiters) falls back to Win32

Status: RESOLVED WONTFIX

(Webtools :: Bouncer, defect)

Description

[Stephen Donner [:stephend] Not actively reading bugmail]

If I do (omitting the "=" between the "os" arg and its value "osx":

host-4-224:~ sdonner$ curl -o /dev/null -v 'https://download.allizom.org/?product=firefox-16.0b6&lang=en-US&ososx'

I get:

> GET /?product=firefox-16.0b6&lang=en-US&ososx HTTP/1.1
> User-Agent: curl/7.21.4 (universal-apple-darwin11.0) libcurl/7.21.4 OpenSSL/0.9.8r zlib/1.2.5
> Host: download.allizom.org
> Accept: */*
> 
< HTTP/1.1 302 Found
< Date: Fri, 05 Oct 2012 19:28:39 GMT
< Server: Apache
< X-Backend-Server: bouncer1.stage.webapp.phx1.mozilla.com
< Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0, private
< Pragma: no-cache
< Location: http://download.cdn.mozilla.net/pub/mozilla.org/firefox/releases/16.0b6/win32/en-US/Firefox%20Setup%2016.0b6.exe
< Content-Length: 0
< Content-Type: text/html; charset=UTF-8

So it still sends me a Win32 binary; is that fallback?  Intended?

Comment 1

[Brandon Savage [:brandon]]

This behavior is expected. The download link is composed by m.o or by stub installer; no user would ever be hitting this directly. So we expect that the URL is not malformed, and we have defaults in case some pieces are missing.

Comment 2

[Matt Brandt [:mbrandt]]

:brandon,

Can you outline what the defaults are for os & lang? What's the heuristic?

Comment 3

[Brandon Savage [:brandon]]

Sure. The code is pretty simple for an operating system:

// if we don't have an os, make it windows, playing the odds
if (empty($_GET['os'])) {
    $_GET['os'] = 'win';
}

Same for language:

    // if we got a language, query for it, otherwise get US English
    if (!empty($_GET['lang']))
        $where_lang = $_GET['lang'];
    else
        $where_lang = 'en-US';

No heuristics at all.

Comment 4

[William Durand [:willdurand]]

This sounds like a bug in an older version of the bouncer, closing.