Closed seanh closed 5 years ago
I've done some investigating here but I kinda hit a dead end
I managed to reproduce this. It happens if the server receives a /users/.
request. Note the trailing period. Normally if you enter https://hypothes.is/users/.
in your browser the path gets normalized into /users/
before the server sees it. However you can reproduce this locally using curl's --path-as-is
option to disable normalization:
curl --path-as-is https://hypothes.is/users/.
A similar issue can be reproduced with:
curl --path-as-is https://hypothes.is/groups/.
More generally, I suspect this problem will affect any scenario where:
/things/{thing_id}
-style route/things/
route/things/.
(note trailing period)In this case the received request is matched against route (1) and the context root is instantiated, but it seems that __getitem__
is never called on the context root (which would raise a KeyError
) and what gets passed to the view as the context object is an instance of the context root rather than the result of context_root[thing_id]
. In the view code, this is almost certain to trigger an exception due to the context object not being of the expected type.
I'm guessing the reason that it only happened with a specific browser in production (all reports came from a browser identifying as Opera 12.17, released in 2014, assuming that is the real version of the browser), is because that browser is not doing some normalization that modern browsers do. I couldn't reproduce that behaviour installing Opera 12.17 on a VM locally though under Windows 10.
See also https://github.com/Pylons/pyramid/issues/3227
Frankly I think we could choose to simply ignore this issue given how few users it affects. That is, tell Sentry to ignore it until it affects an additional X users. All major browsers will canonicalize the URL in links or entered by the user so this will never happen. One remaining question is why the browser tried to navigate to that URL in the first place. Did the user follow an incorrectly generated link on the page? Did they enter this value manually somewhere?
Seems pretty obscure. I'm happy to tell Sentry to ignore this until it affects X users and close it. As long as the issue isn't causing a broken windows affect by showing up in Sentry
Done in Sentry
https://sentry.io/hypothesis/h/issues/657366232/