• last updated 1 hour ago
Constraints
Constraints: committers
 
Constraints: files
Constraints: dates
Added code to skip suspicious looking query variables

On openacs.org, we are experiencing numerous requests with

multiply very long and strange query variables like in the example

below. So far, it is not clear, whether these requests are the

consequence of a double encoding or a deliberate attack. Many (most)

of the requests contain the query variable names containing the

(decoded) pattern "*amp;*".

This is a relatively new phenomenon. I cannot exclude that this is a

bug introduced lately in OpenACS, or a bug in an external bot, or

whatever. The problem with these query variables is that OpenACS

propagates these further, e.g., when updating query variables in

ad_dimensional, via export_vars, or return_urls.

Since OpenACS never uses these query-variables, these can be safely

skipped, without loosing functionality in OpenACS. It is possible to

construct examples, where skipping such variables can change the

semantics. Therefore, the change introduces a single function

util::suspicious_query_variable where in case of problems, the

skipping feature can be deactivated.

GET /api-doc/proc-browse?amp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3btype=All&amp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3borderby=name&type=All&amp%3btype=All&amp%3bamp%3btype=All&amp%3bamp%3bamp%3btype=All&amp%3bamp%3bamp%3bamp%3btype=All&amp%3bamp%3bamp%3bamp%3bamp%3btype=All&amp%3bamp%3bamp%3bamp%3bamp%3bamp%3btype=All&amp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3btype=All&amp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3btype=All&amp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3borderby=name&amp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3btype=Private&amp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3btype=All&amp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3btype=All&amp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3btype=All&amp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3borderby=name&amp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3btype=All HTTP/1.1" 200 62378 "" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/605.1.15 (KHTML, like Gecko; compatible; FriendlyCrawler/1.0) Chrome/120.0.6099.216 Safari/605.1.15" "1729029614.331581 0.109805 0.000434 0.004026 0.215927

  1. … 6 more files in changeset.
Prefer unset to array unset when the whole array should be deleted

See https://wiki.tcl-lang.org/page/Dict+VS+Array+Speed

  1. … 7 more files in changeset.
merge with missing files

  1. … 1464 more files in changeset.
merge from oacs-5-10

  1. … 8099 more files in changeset.
improve spelling

  1. … 8 more files in changeset.
improve spelling

  1. … 12 more files in changeset.
improving comments

  1. … 3 more files in changeset.
improve spelling

  1. … 7 more files in changeset.
prefer XOTcl2 idioms

  1. … 4 more files in changeset.
Reduce numbber of "catch" operations

  1. … 8 more files in changeset.
Use consistently xo::library to ensure application specific subclassability

  1. … 13 more files in changeset.
fix typo

Prefer XOTcl 2.0 idioms

  1. … 2 more files in changeset.
merged changes from the oacs-5-9 branch and resolved conflicts

  1. … 7834 more files in changeset.
Merging back to HEAD all changes that happened in branch oacs-5-8 between tags: vg-merge-oacs-5-8-from-20141027 and vg-merge-oacs-5-8-from-20150427

  1. … 520 more files in changeset.
Merging back to HEAD branch oacs-5-8 (using tag vg-merge-oacs-5-8-from-20141027).

  1. … 2547 more files in changeset.
- use more tcl 8.5 idioms

  1. … 6 more files in changeset.
Removing unneeded --

- define global variable ::xo::naviserver for quick test, whether we are running under NaviServer

- fix ns_ur[en|de]code of "--" and "-charset" etc. This fixes the behavior of NaviServer, which has a "--" option terminator

  1. … 2 more files in changeset.
- make sure to avoid namespace overwrite due to form-vars with colons

- don't throw errors in scheduled procs, when no actual query paramters are available

- fix pattern for mobile detection, include form paramteres only for POST

- add simple mobile detection

- handle potential enconding problems in update_query

- don't set query-variables with empty names

- added method ::xo::update_query (more conveniant than ::xo::update_query_var)

- bumped version number to 0.115

  1. … 2 more files in changeset.
Falling back to locale en_US and charset UTF-8 in case there is an error fetching them.

- make require_package_id_from_url more robust in cases, where the url is not provided (e.g. empty)

- fix typo in comment

  1. … 1 more file in changeset.