[Catalyst] Malformed requests may break $c->req->uri_for()
Merlyn Kline
merlyn at zynet.net
Fri Feb 20 17:24:43 GMT 2009
I've been using $c->req->uri_for()->as_string() to generate URLs for actions
when I need to switch between schemes (http and https). I've discovered that
this breaks for some malformed requests (using Catalyst 5.7015 on
Apache/2.2.9 (Debian)): if I do this:
telnet myserver 80
GET xxxxxxx HTTP/1.1
Host: myserver
Then $c->req->uri_for('action')->as_string() returns
'myserverxxxxxxx/action'. I wouldn't care much except that I'm required to
pass a security scan which appears to be being done by Nessus. One of the
checks it does is basically this:
telnet myserver 80
GET <IMG%20SRC=\"javascript:alert(cross_site_scripting.nasl);\"> /
HTTP/1.1
Host: myserver
So the returned page includes their XSS test code in any https links because
I generated them from $c->req->uri_for()->as_string(), and so the security
test fails.
I've fixed this by generating the URLs differently
($c->req->uri_for()->host() seems unaffected) so it's not a problem any
more.
I thought a more generic fix might be useful but after a quick look at the
code it's too complex for me to come up with something right now. Hopefully
I can revisit this soon. Meanwhile, this message is intended to get some
relavant keywords into the list archive in case anyone else searches there
and might find it useful.
I'm not currently using Catalyst::Plugin::RequireSSL so I don't know if
that's affected by this. I expect I will discover that soon...
Merlyn Kline
More information about the Catalyst
mailing list