[Seaside] Bug in WAAbstractFileLibrary
Joachim Tuchel
jtuchel at objektfabrik.de
Mon Apr 14 04:01:46 UTC 2014
Hi there,
over the last few nights, our Seaside Application was bombarded with
requests that were formed like this:
/files/JQUiDeploymentLibrary/%29.find%28
The attacks did also try other javascript expressions.
Unfortunately, WAAbstractFileLibrary reacts to this by throwing a
primitive failed on VA Smalltalk in WAAbstractFileLibrary
class>>#asSelector:, because the javascript expression cannot be
interpreted as a filename.
Here's an excerpt of our walkback that shows what's going on.
String(Object)>>#primitiveFailed
receiver = ''
String>>#at:
receiver = ''
arg1 = 1
String(SequenceableCollection)>>#first
receiver = ''
JQUiDeploymentLibrary class(WAAbstractFileLibrary class)>>#asSelector:
receiver = JQUiDeploymentLibrary
arg1 = ').find('
temp1 = ''
temp2 = nil
JQUiDeploymentLibrary(WAAbstractFileLibrary)>>#asSelector:
receiver = a JQUiDeploymentLibrary
arg1 = ').find('
JQUiDeploymentLibrary(WAFileLibrary)>>#handle:
receiver = a JQUiDeploymentLibrary
arg1 = a WARequestContext url: '/files/JQUiDeploymentLibrary/%29.find%28'
temp1 = ').find('
temp2 = nil
temp3 = nil
JQUiDeploymentLibrary class(WAAbstractFileLibrary class)>>#handle:
receiver = JQUiDeploymentLibrary
arg1 = a WARequestContext url: '/files/JQUiDeploymentLibrary/%29.find%28'
I am on the road and have no pharo/seaside image with me, but if I
remember correctly, pharo does not throw an exception when you ask an
empty string for its #first character, I seem to remember it just
returns nil. VA Smalltalk does throw an exception. It does not stop
working, so this is not a critical problem.
However, I think an additional check in #asSelector: wouldn't hurt
because then the result is an http error code 404, which can either be
returned to the client or removed by filters like mod_security.
So here is a fix for WAAbstractFileLibrary class>>asSelector: that I
suggest for inclusion in Seaside, even if it is unnecessary for Pharo:
asSelector: aFilename
| mainPart extension |
mainPart := (aFilename copyUpToLast: $.)
select: [ :each | each isAlphaNumeric ].
mainPart isEmptyOrNil ifTrue: [^nil].
[ mainPart first isDigit ]
whileTrue: [ mainPart := mainPart allButFirst ].
extension := (aFilename copyAfterLast: $.) asLowercase capitalized.
^ (mainPart, extension) asSymbol
Joachim
More information about the seaside
mailing list