tapestry-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Volker Lamp (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (TAP5-2436) Dont throw an IllgealArgumentException on illegal chars in the url
Date Tue, 11 Aug 2015 09:05:45 GMT

    [ https://issues.apache.org/jira/browse/TAP5-2436?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14681480#comment-14681480

Volker Lamp commented on TAP5-2436:

I agree. A Bad Request response would be correct and useful at the same time.

This would probably be a good way to deal with another thing I see happen in production occasionally:
attempts to submit the login form without the formdata parameter.

> Dont throw an IllgealArgumentException on illegal chars in the url
> ------------------------------------------------------------------
>                 Key: TAP5-2436
>                 URL: https://issues.apache.org/jira/browse/TAP5-2436
>             Project: Tapestry 5
>          Issue Type: Improvement
>          Components: tapestry-core
>    Affects Versions: 5.4
>            Reporter: quurks
> A few days ago some tool tried to find vulnerabilites by checking urls like /pageid=99999'
. This lead to dozens of exception reports like 
> Exception type: java.lang.IllegalArgumentException
> Message: Input string 'pageid=99999'' is not valid; the character '=' at position 7 is
not valid.
> This should either be a custom exception type, so it can be handled without parsing the
IllegalArgumentException message or it should be a 400 - Bad request, which would also allow
for a custom error page.

This message was sent by Atlassian JIRA

View raw message