Many hyperlinks are disabled.
Use anonymous login
to enable hyperlinks.
Overview
| Comment: | Improve the error log message for 418 responses so that it includes the name of the offending query parameter. Require whitespace around keywords when trying to detect SQL. |
|---|---|
| Downloads: | Tarball | ZIP archive |
| Timelines: | family | ancestors | descendants | both | verify-options-cgi |
| Files: | files | file ages | folders |
| SHA3-256: |
ef1702fde39616ec00b6536277f11ad6 |
| User & Date: | drh 2023-07-17 11:44:26.469 |
Context
|
2023-07-17
| ||
| 12:13 | Improvements to the algorithm for detecting likely SQL injection text. ... (check-in: 5d6efeee47 user: drh tags: verify-options-cgi) | |
| 11:44 | Improve the error log message for 418 responses so that it includes the name of the offending query parameter. Require whitespace around keywords when trying to detect SQL. ... (check-in: ef1702fde3 user: drh tags: verify-options-cgi) | |
|
2023-07-16
| ||
| 20:55 | Fix typo on the 418 status code name. ... (check-in: f39c878fe1 user: drh tags: verify-options-cgi) | |
Changes
Changes to src/cgi.c.
| ︙ | ︙ | |||
1531 1532 1533 1534 1535 1536 1537 |
CGIDEBUG(("no-match [%s]\n", zName));
return zDefault;
}
/*
** Renders the "begone, spider" page and exits.
*/
| | | | | | | | 1531 1532 1533 1534 1535 1536 1537 1538 1539 1540 1541 1542 1543 1544 1545 1546 1547 1548 1549 1550 1551 1552 1553 1554 1555 1556 1557 1558 1559 1560 1561 1562 1563 1564 1565 1566 1567 1568 1569 1570 1571 1572 1573 1574 1575 1576 1577 1578 1579 1580 1581 1582 1583 1584 1585 1586 1587 1588 1589 1590 1591 1592 1593 1594 1595 1596 |
CGIDEBUG(("no-match [%s]\n", zName));
return zDefault;
}
/*
** Renders the "begone, spider" page and exits.
*/
static void cgi_begone_spider(const char *zName){
Blob content = empty_blob;
cgi_set_content(&content);
style_set_current_feature("test");
style_submenu_enable(0);
style_header("Malicious Query Detected");
@ <h2>Begone, Knave!</h2>
@ <p>This page was generated because Fossil detected an (unsuccessful)
@ SQL injection attack or other nefarious content in your HTTP request.
@
@ <p>If you believe you are innocent and have reached this page in error,
@ contact the Fossil developers on the Fossil-SCM Forum. Type
@ "fossil-scm forum" into any search engine to locate the Fossil-SCM Forum.
style_finish_page();
cgi_set_status(418,"I'm a teapotgrep ");
cgi_reply();
fossil_errorlog("possible hack attempt - 418 response on \"%s\"", zName);
exit(0);
}
/*
** If looks_like_sql_injection() returns true for the given string, calls
** cgi_begone_spider() and does not return, else this function has no
** side effects. The range of checks performed by this function may
** be extended in the future.
**
** Checks are omitted for any logged-in user.
**
** This is NOT a defense against SQL injection. Fossil should easily be
** proof against SQL injection without this routine. Rather, this is an
** attempt to avoid denial-of-service caused by persistent spiders that hammer
** the server with dozens or hundreds of SQL injection attempts per second
** against pages (such as /vdiff) that are expensive to compute. In other
** words, this is an effort to reduce the CPU load imposed by malicious
** spiders. It is not an effect defense against SQL injection vulnerabilities.
*/
void cgi_value_spider_check(const char *zTxt, const char *zName){
if( g.zLogin==0 && looks_like_sql_injection(zTxt) ){
cgi_begone_spider(zName);
}
}
/*
** A variant of cgi_parameter() with the same semantics except that if
** cgi_parameter(zName,zDefault) returns a value other than zDefault
** then it passes that value to cgi_value_spider_check().
*/
const char *cgi_parameter_nosql(const char *zName, const char *zDefault){
const char *zTxt = cgi_parameter(zName, zDefault);
if( zTxt!=zDefault ){
cgi_value_spider_check(zTxt, zName);
}
return zTxt;
}
/*
** Return the value of the first defined query parameter or cookie whose
** name appears in the list of arguments. Or if no parameter is found,
|
| ︙ | ︙ | |||
2742 2743 2744 2745 2746 2747 2748 |
void cgi_check_for_malice(void){
struct QParam * pParam;
int i;
for(i = 0; i < nUsedQP; ++i){
pParam = &aParamQP[i];
if(0 == pParam->isFetched
&& fossil_islower(pParam->zName[0])){
| | | 2742 2743 2744 2745 2746 2747 2748 2749 2750 2751 2752 |
void cgi_check_for_malice(void){
struct QParam * pParam;
int i;
for(i = 0; i < nUsedQP; ++i){
pParam = &aParamQP[i];
if(0 == pParam->isFetched
&& fossil_islower(pParam->zName[0])){
cgi_value_spider_check(pParam->zValue, pParam->zName);
}
}
}
|
Changes to src/lookslike.c.
| ︙ | ︙ | |||
463 464 465 466 467 468 469 |
blob_reset(&blob);
}
/*
** Return true if z[i] is the whole word given by zWord
*/
static int isWholeWord(const char *z, unsigned int i, const char *zWord, int n){
| | | | 463 464 465 466 467 468 469 470 471 472 473 474 475 476 477 478 479 |
blob_reset(&blob);
}
/*
** Return true if z[i] is the whole word given by zWord
*/
static int isWholeWord(const char *z, unsigned int i, const char *zWord, int n){
if( i>0 && !fossil_isspace(z[i-1]) ) return 0;
if( sqlite3_strnicmp(z+i, zWord, n)!=0 ) return 0;
if( z[i+n]!=0 && !fossil_isspace(z[i+n]) ) return 0;
return 1;
}
/*
** Returns true if the given text contains certain keywords or
** punctuation which indicate that it might be an SQL injection attempt
** or some other kind of mischief.
|
| ︙ | ︙ |