-
Notifications
You must be signed in to change notification settings - Fork 2.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Handle EOFError raised by Rack and raise BadRequest (and lock Rack version to 2.0 to pass tests) #1743
Conversation
I can't understand why this case fails. I need help.
I assume this is problem of Rack but I have no idea why it happens and why Gemfile specifies rack's main branch to install. |
rack/rack#1696 from CHANGELOG of 3.0.0
|
I guess changing this line from: |
I think we can lock the Gemfile to rack '~> 2.0' for now. |
@@ -78,6 +78,8 @@ def params | |||
super | |||
rescue Rack::Utils::ParameterTypeError, Rack::Utils::InvalidParameterError => e | |||
raise BadRequest, "Invalid query parameters: #{Rack::Utils.escape_html(e.message)}" | |||
rescue EOFError => e | |||
raise BadRequest, "Invalid multipart/form-data: #{Rack::Utils.escape_html(e.message)}" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It's not clear to me why you escape the HTML here, rather than on the output formatting side.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I can only provide background info, not speak to if this is the best solution. The introduction of handling of EOFError
probably just followed what was already there: the handling of invalid query parameters – escaping those was introduced in #1432 to address an reported XSS #1428 (the initial handling of invalid query parameters was added in #1070)
Feel free to make a PR if you have a more appropriate solution.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think it makes sense to escape here as otherwise every application outputting the BadRequest
message would need to do it.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
You should escape any error messages regardless because you don't control every error message generation, right? It should be escaped when generating HTML from the error message, not when creating an exception. Otherwise, how do you print this to the command-line, log file, etc. Maybe I'm misunderstanding something.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Sure, what you say makes sense. Feel free to contribute and maybe others will weigh in as well.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for mentioning. To be honest, I just copied lines above and changed error type and message. I didn't think about whether this usage of escape_html was correct or not.
This fixes #1739. Now Sinatra returns 400 Bad Request instead of 500.