Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Bug in WAAbstractFileLibrary #786

Closed
GoogleCodeExporter opened this issue Mar 25, 2015 · 5 comments
Closed

Bug in WAAbstractFileLibrary #786

GoogleCodeExporter opened this issue Mar 25, 2015 · 5 comments
Labels
auto-migrated Priority-Medium Type-Defect

Comments

@GoogleCodeExporter
Copy link 

Hi there,

over the last few nights, our Seaside Application was bombarded with requests 
that were formed like this:

/files/JQUiDeploymentLibrary/%29.find%28

The attacks did also try other javascript expressions.

Unfortunately, WAAbstractFileLibrary reacts to this by throwing a primitive 
failed on VA Smalltalk in WAAbstractFileLibrary class>>#asSelector:, because 
the javascript expression cannot be interpreted as a filename.

Here's an excerpt of our walkback that shows what's going on.

String(Object)>>#primitiveFailed
  receiver = ''
String>>#at:
  receiver = ''
  arg1 = 1
String(SequenceableCollection)>>#first
  receiver = ''
JQUiDeploymentLibrary class(WAAbstractFileLibrary class)>>#asSelector:
  receiver = JQUiDeploymentLibrary
  arg1 = ').find('
  temp1 = ''
  temp2 = nil
JQUiDeploymentLibrary(WAAbstractFileLibrary)>>#asSelector:
  receiver = a JQUiDeploymentLibrary
  arg1 = ').find('
JQUiDeploymentLibrary(WAFileLibrary)>>#handle:
  receiver = a JQUiDeploymentLibrary
  arg1 = a WARequestContext url: '/files/JQUiDeploymentLibrary/%29.find%28'
  temp1 = ').find('
  temp2 = nil
  temp3 = nil
JQUiDeploymentLibrary class(WAAbstractFileLibrary class)>>#handle:
  receiver = JQUiDeploymentLibrary
  arg1 = a WARequestContext url: '/files/JQUiDeploymentLibrary/%29.find%28'

I am on the road and have no pharo/seaside image with me, but if I remember 
correctly, pharo does not throw an exception when you ask an empty string for 
its #first character, I seem to remember it just returns nil. VA Smalltalk does 
throw an exception. It does not stop working, so this is not a critical problem.

However, I think an additional check in #asSelector: wouldn't hurt because then 
the result is an http error code 404, which can either be returned to the 
client or removed by filters like mod_security.

So here is a fix for WAAbstractFileLibrary class>>asSelector: that I suggest 
for inclusion in Seaside, even if it is unnecessary for Pharo:

asSelector: aFilename
    | mainPart extension |
    mainPart := (aFilename copyUpToLast: $.)
        select: [ :each | each isAlphaNumeric ].

    mainPart isEmptyOrNil ifTrue: [^nil].

    [ mainPart first isDigit ]
        whileTrue: [ mainPart := mainPart allButFirst ].
    extension := (aFilename copyAfterLast: $.) asLowercase capitalized.
    ^ (mainPart, extension) asSymbol

Joachim

Original issue reported on code.google.com by philippe...@gmail.com on 14 Apr 2014 at 7:51
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
auto-migrated Priority-Medium Type-Defect
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@GoogleCodeExporter