Closed GoogleCodeExporter closed 9 years ago
This is probably a glitch. Will investigate.
Original comment by lcam...@gmail.com
on 23 Oct 2010 at 12:47
Okay, so I am a bit struggling to understand how this response was actually
generated. Can you help me out? What's the underlying code? Where did the >'"">
bit come from? What's with the closing ">'>'? This is not something that
skipfish injects (although it seems vaguely close).
The response does look a bit like JavaScript, so I can see why it's being
detected this way; I can fine-tune the algorithm, but it would be good to know
how this syntax came to be in the first place.
Original comment by lcam...@gmail.com
on 26 Oct 2010 at 8:40
Sure thing. After some time I've managed to boil it down to the following
simplified test case. The problem stems just from the Pylons 1.0 built-in
redirector. After installing Pylons:
paster create -t pylons # call it 'hello' and accept defaults
cd hello/
sed -i s/5000/5001/ development.ini
paster controller redir
cat > hello/controllers/redir.py << EOF
import logging
from pylons import request, response, session, tmpl_context as c, url
from pylons.controllers.util import abort, redirect
from hello.lib.base import BaseController, render
log = logging.getLogger(__name__)
class RedirController(BaseController):
def index(self):
# Return a rendered template
#return render('/redir.mako')
# or, return a string
redirect(request.params.getone('url'))
EOF
paster serve development.ini
$ nc -q1 localhost 5001 << EOF
> GET /redir/index?url=-->">'>'"<sfi000032v524891>&email= HTTP/1.1
> Host: x.x.x.x:4000
> Accept-Encoding: gzip
> Connection: keep-alive
> User-Agent: Mozilla/5.0 SF/1.69b
> Range: bytes=0-199999
> Referer: -->">'>'"<sfi000032v524891>
> Cookie: ...
>
> EOF
HTTP/1.0 302 Found
Server: PasteWSGIServer/0.5 Python/2.6.5
Date: Tue, 26 Oct 2010 23:32:45 GMT
Content-Type: text/html; charset=UTF-8
Pragma: no-cache
Cache-Control: no-cache
Location: http://x.x.x.x:4000/redir/-->">'>'"<sfi000032v524891>
Content-Length: 118
302 Found
The resource was found at '>'"">http://x.x.x.x:4000/redir/">'>'"; you should be
redirected automatically.
Original comment by yaa...@gmail.com
on 26 Oct 2010 at 11:34
I'm sort of out of ideas how to fix this in a generic manner, partly because I
genuinely don't understand how the framework arrived at that response (note
that it has very little to do with the injected strings, or any transformation
thereof - ->">'>'"<sfi...> versus '>'"">).
I will keep thinking about it, but honestly, I'm at loss. I wonder if it makes
more sense to report this to framework authors instead?
Original comment by lcam...@gmail.com
on 23 Nov 2010 at 6:43
I did report it there, but I also reported it here in case you thought it was a
problem. I agree it's pretty bizarre.
Original comment by yaa...@gmail.com
on 23 Nov 2010 at 7:04
Original issue reported on code.google.com by
yaa...@gmail.com
on 23 Oct 2010 at 12:26