A too short or too long URL results in 500 error. Should be a 404.

atoponce / d-note

Self destructing encrypted notes

Other

130 stars 43 forks source link

A too short or too long URL results in 500 error. Should be a 404. #41

Open atoponce opened 10 years ago

atoponce commented 10 years ago

Suppose the link to your secret note is https://ae7.st/d/pAJj58F5ozdoEz_w-fEBdw. If there is a typo in the link, such as https://ae7.st/d/pAJj58F5ozdoEz_w-fEBdW, it properly gives a 404. However, if the URL ID is too short, such as https://ae7.st/d/pAJj58F5ozdoEz_w-fEBd or too long such as https://ae7.st/d/pAJj58F5ozdoEz_w-fEBdwwww, it gives a 500 error. It should properly raise a 404, if the URL does not exist, regardless of length.

JackZielke commented 9 years ago

This also occurs when search engines try to load robots.txt

66.249.64.24 - - [26/Jan/2015:16:12:23 -0500] "GET /robots.txt HTTP/1.1" 500 5474 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)"
66.249.64.28 - - [26/Jan/2015:16:12:58 -0500] "GET /robots.txt HTTP/1.1" 500 5474 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)"

Thijssss commented 7 years ago

I ran in to this same issue. Apache cannot overwrite the DocumentError for WSGI unless its running as a deamon. I figured I would just patch it locally for now to get around the issue all together. I used a random word which works OK to get back a regular error message:

--- /linux/d-note-master/dnote/note.py  2015-10-29 21:16:22.000000000 +0100
+++ note.py     2017-01-09 11:51:28.030837067 +0100
@@ -108,8 +108,14 @@

         self.url = url
         url = url + "==" # add the padding back
-        self.nonce = base64.urlsafe_b64decode(url.encode("utf-8"))
-        self.f_key = KDF.PBKDF2(
+
+        try:
+               self.nonce = base64.urlsafe_b64decode(url.encode("utf-8"))
+       except:
+               url = "errormessage=="
+               self.nonce = base64.urlsafe_b64decode(url.encode("utf-8"))
+
+       self.f_key = KDF.PBKDF2(
             self.nonce, dconfig.nonce_salt.decode("hex"), 16)
         self.aes_key = KDF.PBKDF2(
             self.nonce, dconfig.aes_salt.decode("hex"), 32)

JackZielke commented 7 years ago

I went with a different route but you still end up with normal looking 404s.

Date:   Tue Mar 8 17:49:03 2016 -0500

    404 instead of 500 on incorrect note lengths

diff --git a/dnote/note.py b/dnote/note.py
index 6bb3387..b54d5eb 100644
--- a/dnote/note.py
+++ b/dnote/note.py
@@ -106,6 +106,8 @@ class Note(object):
         keyword arguments:
         url -- the url after the FQDN provided by the client"""

+        if len(url) != 22:
+            return
         self.url = url
         url = url + "==" # add the padding back
         self.nonce = base64.urlsafe_b64decode(url.encode("utf-8"))