[Glass] security / dos attacks
Otto Behrens
otto at finworks.biz
Mon Dec 23 05:36:50 PST 2013
Hi,
We've been getting some hacking / dos attempts on our sites.
In some cases, we do get a successful crash of the FCGI server. I'm
still trying to find those.
In my hunt for this, I found that some requests create an Internal
Server Error response. For example, a GET on /%C0%AE generates the
following message: 'InterpreterError 2258: Primitive failed , selector
<#'_unicodePrim:'> receiver <'À®'>'
I'm worried that this somehow opens a gap to hack into the system, so
I think it is better to respond with a 404 or something like that.
Does this make sense? I was thinking that I should be chasing down 500
responses so that we can catch where they manage to break the server.
Have you encountered this? Any ideas on solving it?
Here's what I found so far:
1. The method WAFastCGIAdaptor | requestUrlFor: creates a WAUrl and
then calls #decodeWith: on it, which breaks.
2. In the code that creates the WAUrl, it calls #decode: on the path
segments, which decodes %C0 as a UTF8 character. (WAUrl | decode:).
3. doing this breaks:
(String with: (Character codePoint: 192) with: (Character codePoint:
174)) decodeFromUTF8
Thanks
Otto
More information about the Glass
mailing list