tapestry-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Jochen Kemnade (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (TAP5-2436) Don't throw an IllgealArgumentException on illegal chars in the url
Date Wed, 12 Aug 2015 07:24:45 GMT

    [ https://issues.apache.org/jira/browse/TAP5-2436?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14693050#comment-14693050
] 

Jochen Kemnade commented on TAP5-2436:
--------------------------------------

Here's a trace, might be helpful.
{noformat}
09:15:08.536 [qtp596512129-36] ERROR o.a.t.m.T.RequestExceptionHandler - Processing of request
failed with uncaught exception: java.lang.IllegalArgumentException: Input string 'pageid=123'
is not valid; the character '=' at position 7 is not valid.
java.lang.IllegalArgumentException: Input string 'pageid=123' is not valid; the character
'=' at position 7 is not valid.
	at org.apache.tapestry5.internal.services.URLEncoderImpl.decode(URLEncoderImpl.java:145)
~[tapestry-core-5.4-beta-34.jar:na]
	at $URLEncoder_9a7e4b07197d.decode(Unknown Source) ~[na:na]
	at org.apache.tapestry5.internal.services.ContextPathEncoderImpl.decodePath(ContextPathEncoderImpl.java:92)
~[tapestry-core-5.4-beta-34.jar:na]
	at $ContextPathEncoder_9a7e4b071965.decodePath(Unknown Source) ~[na:na]
	at org.apache.tapestry5.internal.services.ComponentEventLinkEncoderImpl.checkIfPage(ComponentEventLinkEncoderImpl.java:499)
~[tapestry-core-5.4-beta-34.jar:na]
	at org.apache.tapestry5.internal.services.ComponentEventLinkEncoderImpl.decodePageRenderRequest(ComponentEventLinkEncoderImpl.java:454)
~[tapestry-core-5.4-beta-34.jar:na]
	at org.apache.tapestry5.internal.services.linktransform.LinkTransformerInterceptor.decodePageRenderRequest(LinkTransformerInterceptor.java:68)
~[tapestry-core-5.4-beta-34.jar:na]
	at $ComponentEventLinkEncoder_9a7e4b071953.decodePageRenderRequest(Unknown Source) ~[na:na]
	at org.apache.tapestry5.internal.services.PageRenderDispatcher.dispatch(PageRenderDispatcher.java:51)
~[tapestry-core-5.4-beta-34.jar:na]
...
{noformat}
I agree that this should be turned into a proper HTTP error, but I'm not sure if 400 is really
appropriate. The request is not malformed, the syntax is okay, we just cannot handle it. I
guess, we should rather send a 422 or just a 404.

> Don't throw an IllgealArgumentException on illegal chars in the url
> -------------------------------------------------------------------
>
>                 Key: TAP5-2436
>                 URL: https://issues.apache.org/jira/browse/TAP5-2436
>             Project: Tapestry 5
>          Issue Type: Improvement
>          Components: tapestry-core
>    Affects Versions: 5.4
>            Reporter: quurks
>
> A few days ago some tool tried to find vulnerabilites by checking urls like /pageid=99999'
. This lead to dozens of exception reports like 
> Exception type: java.lang.IllegalArgumentException
> Message: Input string 'pageid=99999'' is not valid; the character '=' at position 7 is
not valid.
> This should either be a custom exception type, so it can be handled without parsing the
IllegalArgumentException message or it should be a 400 - Bad request, which would also allow
for a custom error page.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message