Project

General

Profile

Development #33079

traces inutiles fuzzing dans /tracking-code/

Added by Thomas Noël 3 months ago. Updated 3 months ago.

Status:
Solution déployée
Priority:
Normal
Assignee:
-
Target version:
-
Start date:
14 May 2019
Due date:
% Done:

0%

Patch proposed:
No
Planning:
No

Description

Unsafe redirect to URL with protocol 'file'

Report at /tracking-code/
Unsafe redirect to URL with protocol 'file'

Request Method: POST
Request URL: https://departement06.test.entrouvert.org/tracking-code/
Django Version: 1.11.20
Python Executable: /usr/bin/uwsgi-core
Python Version: 2.7.13
Python Path: ['.', '', '/usr/lib/python2.7', '/usr/lib/python2.7/plat-x86_64-linux-gnu', '/usr/lib/python2.7/lib-tk', '/usr/lib/python2.7/lib-old',
'/usr/lib/python2.7/lib-dynload', '/usr/local/lib/python2.7/dist-packages', '/usr/lib/python2.7/dist-packages']
Server time: mar, 14 Mai 2019 11:13:52 +0200
Installed Applications:
''
Installed Middleware:
''

Request information:
USER: ca829e61a2d94ee89a6c2b19148ccf

GET: No GET data

POST:
url = u'file://path/to/file'
cell = u'44'
code = u'{{8*8}}'

0001-wcs-raise-a-bad-request-when-tracking-code-is-missin.patch View (1.79 KB) Frédéric Péters, 02 Jun 2019 06:11 PM


Related issues

Related to Hobo - Development #33620: ne pas logguer les "Unsafe redirect" Nouveau 03 Jun 2019

Associated revisions

Revision 6439c43b (diff)
Added by Frédéric Péters 3 months ago

wcs: raise a bad request when tracking code is missing from request (#33079)

History

#1 Updated by Thomas Noël 3 months ago

  • Subject changed from trace inutile sur tentative d'url fake sur to trace inutile sur tentative d'url fake sur /tracking-code/ (suite à du fuzzing)

#2 Updated by Thomas Noël 3 months ago

  • Subject changed from trace inutile sur tentative d'url fake sur /tracking-code/ (suite à du fuzzing) to traces inutiles fuzzing dans /tracking-code/

Dans la même série, POST sans code :

Internal Server Error: /tracking-code/

MultiValueDictKeyError at /tracking-code/
"'code'" 

Request Method: POST
Request URL: https://departement06.test.entrouvert.org/tracking-code/
Django Version: 1.11.20
Python Executable: /usr/bin/uwsgi-core
Python Version: 2.7.13
Python Path: ['.', '', '/usr/lib/python2.7', '/usr/lib/python2.7/plat-x86_64-linux-gnu', '/usr/lib/python2.7/lib-tk', '/usr/lib/python2.7/lib-old', '/usr/lib/python2.7/lib-dynload', '/usr/local/lib/python2.7/dist-packages', '/usr/lib/python2.7/dist-packages']
Server time: mar, 14 Mai 2019 11:57:15 +0200
Installed Applications:
''
Installed Middleware:
''

Traceback:

File "/usr/lib/python2.7/dist-packages/django/core/handlers/exception.py" in inner
  41.             response = get_response(request)

File "/usr/lib/python2.7/dist-packages/django/core/handlers/base.py" in _legacy_get_response
  249.             response = self._get_response(request)

File "/usr/lib/python2.7/dist-packages/django/core/handlers/base.py" in _get_response
  187.                 response = self.process_exception_by_middleware(e, request)

File "/usr/lib/python2.7/dist-packages/django/core/handlers/base.py" in _get_response
  185.                 response = wrapped_callback(request, *callback_args, **callback_kwargs)

File "/usr/lib/python2.7/dist-packages/django/views/generic/base.py" in view
  68.             return self.dispatch(request, *args, **kwargs)

File "/usr/lib/python2.7/dist-packages/django/views/decorators/csrf.py" in wrapped_view
  58.         return view_func(*args, **kwargs)

File "/usr/lib/python2.7/dist-packages/combo/apps/wcs/views.py" in dispatch
  41.         return super(TrackingCodeView, self).dispatch(*args, **kwargs)

File "/usr/lib/python2.7/dist-packages/django/views/generic/base.py" in dispatch
  88.         return handler(request, *args, **kwargs)

File "/usr/lib/python2.7/dist-packages/combo/apps/wcs/views.py" in post
  63.         code = request.POST['code']

File "/usr/lib/python2.7/dist-packages/django/utils/datastructures.py" in __getitem__
  85.             raise MultiValueDictKeyError(repr(key))

Exception Type: MultiValueDictKeyError at /tracking-code/
Exception Value: "'code'" 
Request information:
USER: AnonymousUser

GET: No GET data

POST:
cell = u'44'

FILES: No FILES data

COOKIES: No cookie data

#3 Updated by Frédéric Péters 3 months ago

#4 Updated by Thomas Noël 3 months ago

Yep. J'ai mis un peu de temps à relire parce que le ticket au départ parlait d'une alerte à cause de « url = u'file://path/to/file' ». Mais en fait ton patch est tout bien qui gère le manque de "code", que j'indiquais dans la suite du ticket. Tu peux le pousser et on laisse le ticket ouvert, je vais regarder le cas de l'URL mal formattée.

#5 Updated by Frédéric Péters 3 months ago

  • Status changed from Solution proposée to En cours
  • Patch proposed changed from Yes to No

Ah oui pas fait gaffe que la trace posée dans le commentaire n'était pas la même,

commit 6439c43b482c393320295aa5e0f59c4f317ecfd9
Author: Frédéric Péters <fpeters@entrouvert.com>
Date:   Sun Jun 2 18:11:10 2019 +0200

    wcs: raise a bad request when tracking code is missing from request (#33079)

#6 Updated by Frédéric Péters 3 months ago

  • Status changed from En cours to Résolu (à déployer)

Pour la partie "unsafe redirect", plutôt hobo, j'ai créé #33620.

#7 Updated by Frédéric Péters 3 months ago

#8 Updated by Frédéric Péters 3 months ago

  • Status changed from Résolu (à déployer) to Solution déployée

Also available in: Atom PDF