[zope2-tracker] [Bug 984884] [NEW] VirtualHostMonster silently trims a slash from a double slash
Anthony Gerrard
anthonygerrard+launchpad.net at gmail.com
Wed Apr 18 13:25:34 UTC 2012
Public bug reported:
We ran into a problem when some bot / hacker was sending requests to our
server like
http://mysite.org/real-folder/http://google.ru/
which resulted in unhandled exceptions. We're using Apache, Zope, VHM,
Plone plus plone.app.theming. The errors were originating in
p.a.theming's use of plone.subrequest which read certain values stored
in the request object including VIRTUAL_URL_PARTS to build a subrequest.
I've written a couple of tests (attached) which show that Zope will trim
one of the slashes off a double slash in both the ACTUAL_URL and
VIRTUAL_URL_PARTS values stored on the request.
Admittedly this is a bit of an edge case but I think it is a bug in
Zope2.
** Affects: zope2
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Zope 2
Developers, which is subscribed to Zope 2.
https://bugs.launchpad.net/bugs/984884
Title:
VirtualHostMonster silently trims a slash from a double slash
To manage notifications about this bug go to:
https://bugs.launchpad.net/zope2/+bug/984884/+subscriptions
More information about the zope2-tracker
mailing list