VirtualHostMonster silently trims a slash from a double slash
Bug #984884 reported by
Anthony Gerrard
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Zope 2 |
Invalid
|
Low
|
Unassigned |
Bug Description
We ran into a problem when some bot / hacker was sending requests to our server like
http://
which resulted in unhandled exceptions. We're using Apache, Zope, VHM, Plone plus plone.app.theming. The errors were originating in p.a.theming's use of plone.subrequest which read certain values stored in the request object including VIRTUAL_URL_PARTS to build a subrequest.
I've written a couple of tests (attached) which show that Zope will trim one of the slashes off a double slash in both the ACTUAL_URL and VIRTUAL_URL_PARTS values stored on the request.
Admittedly this is a bit of an edge case but I think it is a bug in Zope2.
To post a comment you must log in.
I don't know the RFC well enough. But keeping double slashes intact sounds like the right thing to do here.