Skip to content
This repository has been archived by the owner on May 25, 2018. It is now read-only.

null byte in message's channel #65

Open
godsent opened this issue Feb 3, 2015 · 4 comments
Open

null byte in message's channel #65

godsent opened this issue Feb 3, 2015 · 4 comments

Comments

@godsent
Copy link
Contributor

godsent commented Feb 3, 2015

FayeRails::RackAdapter::RoutingExtension#incoming uses File.fnmatch? to match channel name. If channel name contains null byte "\0" an ArgumentError would be raised. The exception will drop a server (checked with Thin and Webric).
faye-browser.js includes channels names at 928..932 lines, malefactor can add null byte to channel name here via fire bug.
@godsent godsent mentioned this issue Feb 3, 2015
Closed
@godsent
Copy link
Contributor Author

godsent commented Feb 3, 2015

Pull request #66 created

@Bishop
Copy link
Contributor

Bishop commented Feb 13, 2015

Better solution https://github.com/SoftSwiss/faye-rails/commit/d698e733c9383a4bc4ab7dd68848f422ef33728b

@Bishop Bishop mentioned this issue Feb 16, 2015
Merged
@Bishop
Copy link
Contributor

Bishop commented Feb 16, 2015

Some channel names that causes drop a server:

"\"/meta/handshake\\u0000'\\\"--></style></scRipt><scRipt>netsparker(0x00058F)</scRipt>\""
"\"../../../../../../../../../../boot.ini\\u0000.php\""
"\"http://r87.com/n?\\u0000.php\""
"\"php://filter//resource=http://r87.com/n?\\u0000.php\""
"\"../../../../../../../../../../windows/win.ini\\u0000.php\""

I guess this is default config in Netsparker Web Application Security Scanner.

@jimsynz
Copy link
Owner

jimsynz commented Feb 20, 2015

We should probably catch all the exceptions inside the rack adapter and log them, should we not?

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@Bishop @jimsynz @godsent