Uploaded image for project: '[Read Only] - Hippo GOGREEN'
  1. [Read Only] - Hippo GOGREEN
  2. GOGREEN-837 Clean up Gogreen code, make use of new HST utilities, improve logging, and more
  3. GOGREEN-836

Large log messages created when there are invalid characters in the query string

    XMLWordPrintable

Details

    • Sub-task
    • Status: Closed
    • High
    • Resolution: Fixed
    • 3.04.07
    • 3.05.00
    • None
    • Go green test server

    Description

      Cause: in Go Green, when the search is performed after giving an invalid path in the URL, the query string is not escaped. (An example of a search that way is: http://www.demo.test.onehippo.com/solar ).
      Some of the characters for which this happens: [ ' ( ) "

      This might also be a security issue, equivalent to SQL injection.

      To reproduce, using Go Green test server:

      For every such request, more than 20kB of log messages are created. The result of a single request is attached. (logs.txt)
      This way, a malicious user can fill up the logs quickly (50 requests = 1MB)

      Attachments

        1. logs.txt
          21 kB
          Simon Voortman

        Activity

          People

            jsheriff Junaidh Kadhar Sheriff
            svoortman Simon Voortman (Inactive)
            Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: