The bug tracker on one of our sites is being flooded with requests similar to:
/media/image_path.jpg?style=245x320# UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL-- ggwd
Resulting in params:
{
"style": "245x320# UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL-- ggwd"
}
And is raising an error:
ArgumentError·Didn't recognise the geometry string 245x320# UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL-- ggwd
I don't think there's an actual security risk here, but would be nice to have someone else review the code. Additionally maybe the style regex can extract the intended parameter more strictly and ignore the rest.
The bug tracker on one of our sites is being flooded with requests similar to:
Resulting in params:
And is raising an error:
I don't think there's an actual security risk here, but would be nice to have someone else review the code. Additionally maybe the style regex can extract the intended parameter more strictly and ignore the rest.