-
Notifications
You must be signed in to change notification settings - Fork 71
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
WAUrl class >> absolute mismatch with ZnZincServerAdaptor >> #requestUrlFor: #1041
Comments
After a more careful review, I think For VA it could be something like:
I guess we can do something equivalent for Zinc adaptor... but this would depend on the adaptor as it depends on what is answered in |
The issue was that we parse the result of the Zinc parsing again instead of using the parsed result. |
Hello @marianopeck I'm assigning this issue to you, here's why: You have two ways of how you can implement URL parsing:
If you believe you have a valid URL which Seaside fails to parse please open a dedicated issue for this. |
Hi guys,
It's quite common to get requests with invalid URLs. For example:
http://localhost:8088/config?type=php://filter/resource=http://whsec.us/rfi.php?
.Right now, on Pharo, if you do
WAUrl absolute: '/config?type=php://filter/resource=http://whsec.us/rfi.php?'
you get a correct WAInvalidUrlSyntaxError. However...ZnZincServerAdaptor >> #requestUrlFor:
does not rely onWAUrl class >> absolute
(as VA adaptor does) and hence that request does not fail at all. If you go to the browser, and paste that url, it will be simply processed.I think this goes in conflict with
absolute
throwing an error for that same URL.At Instantiations we got already 2 customers which had to hook on VA Seaside adaptor to put an error handler on WAInvalidUrlSyntaxError
process:
and if that's the case, then answer a bad request. While I will be patching the code in VA port itself, I think we can provide something general at Seaside upstream level. Something like:And:
Finally, I would change
ZnZincServerAdaptor >> #requestUrlFor:
so that it "validates" the original URL via "WAUrl >> absolute" just to see if it valid or not. If it is not valid, it would just signal a WAInvalidUrlSyntaxError and we will handle it as bad request (with code change above).What do you think in general? And if you agree, any idea how to implement the fix for Zinc?
Best,
The text was updated successfully, but these errors were encountered: