[zope2-tracker] [Bug 984884] [NEW] VirtualHostMonster silently trims a slash from a double slash

Anthony Gerrard anthonygerrard+launchpad.net at gmail.com
Wed Apr 18 13:25:34 UTC 2012


Public bug reported:

We ran into a problem when some bot / hacker was sending requests to our
server like

http://mysite.org/real-folder/http://google.ru/

which resulted in unhandled exceptions.  We're using Apache, Zope, VHM,
Plone plus plone.app.theming. The errors were originating in
p.a.theming's use of plone.subrequest which read certain values stored
in the request object including VIRTUAL_URL_PARTS to build a subrequest.

I've written a couple of tests (attached) which show that Zope will trim
one of the slashes off a double slash in both the ACTUAL_URL and
VIRTUAL_URL_PARTS values stored on the request.

Admittedly this is a bit of an edge case but I think it is a bug in
Zope2.

** Affects: zope2
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Zope 2
Developers, which is subscribed to Zope 2.
https://bugs.launchpad.net/bugs/984884

Title:
  VirtualHostMonster silently trims a slash from a double slash

To manage notifications about this bug go to:
https://bugs.launchpad.net/zope2/+bug/984884/+subscriptions


More information about the zope2-tracker mailing list