search

jimsynz / faye-rails

Simple Rails glue for the Faye messaging protocol.
MIT License
435 stars 79 forks source link

null byte in message's channel #65

Open godsent opened 9 years ago

godsent commented 9 years ago

FayeRails::RackAdapter::RoutingExtension#incoming uses File.fnmatch? to match channel name. If channel name contains null byte "\0" an ArgumentError would be raised. The exception will drop a server (checked with Thin and Webric). faye-browser.js includes channels names at 928..932 lines, malefactor can add null byte to channel name here via fire bug.

godsent commented 9 years ago

Pull request https://github.com/jamesotron/faye-rails/pull/66 created

Bishop commented 9 years ago

Better solution https://github.com/SoftSwiss/faye-rails/commit/d698e733c9383a4bc4ab7dd68848f422ef33728b

Bishop commented 9 years ago

Some channel names that causes drop a server:

"\"/meta/handshake\\u0000'\\\"--></style></scRipt><scRipt>netsparker(0x00058F)</scRipt>\""
"\"../../../../../../../../../../boot.ini\\u0000.php\""
"\"http://r87.com/n?\\u0000.php\""
"\"php://filter//resource=http://r87.com/n?\\u0000.php\""
"\"../../../../../../../../../../windows/win.ini\\u0000.php\""

I guess this is default config in Netsparker Web Application Security Scanner.

jimsynz commented 9 years ago

We should probably catch all the exceptions inside the rack adapter and log them, should we not?