Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Issues introduced by the recursive encoded body scrubbing changes #4

Open
2 of 3 tasks
bigpresh opened this issue Sep 19, 2023 · 0 comments
Open
2 of 3 tasks

Issues introduced by the recursive encoded body scrubbing changes #4

bigpresh opened this issue Sep 19, 2023 · 0 comments

Comments

@bigpresh
Copy link
Owner

bigpresh commented Sep 19, 2023
edited
Loading

Couple of issues caused by the recent introduction of recursive scrubbing of encoded PUT/POST bodies - PR #3 :

  • Undefined values in POST/PUT JSON bodies get turned into empty strings.

Need to stop this, e.g.

                $data->{$key} = $c->_scrubber->scrub($data->{$key})
                        if defined $data->{$key};

etc.

  • Recent changes to scrub data from $c->req->data if using Catalyst::Controller::REST break file uploads - causing e.g.:
[Tue Sep 19 13:56:47 2023] [error] Caught exception in engine "multipart/form-data does not have an available data handler. Valid data_handlers are application/json, application/x-www-form-urlencoded." <at /usr/local/lib/perl5/Catalyst.pm line 2420>

This will be a fun one - need to know whether it's safe to call $c->req->data before doing so - presumably look at $c->req->content_type and see if there is an available handler that can process that - need a clean way to determine that.

  • Stringification of numbers - scrubbing a number changes it:
$ $bar = 5;
5
$ Dump($bar);
SV = IV(0x55b98ab228c8) at 0x55b98ab228d8
  REFCNT = 2
  FLAGS = (IOK,pIOK)
  IV = 5

$ $bar = $s->scrub($bar);
5
$ Dump($bar);
SV = PVIV(0x55b98ab15130) at 0x55b98ab228d8
  REFCNT = 2
  FLAGS = (POK,pPOK)
  IV = 5
  PV = 0x55b98a152800 "5"\0
  CUR = 1
  LEN = 10
bigpresh added a commit that referenced this issue Sep 19, 2023
@bigpresh
Don't attempt to scrub undefined values #4
5fda49e 
If it's undefined, it can't contain HTML - don't try to scrub it as
that's pointless, and will turn an undefined value into an empty string.
bigpresh added a commit that referenced this issue Sep 19, 2023
@bigpresh
Only call body_data if we have a data handler #4
dc2ab26 
Only call `$c->req->body_data` if the request content type is one
there's a data handler for - otherwise we'll cause an exception e.g.:

```
  [error] Caught exception in engine "multipart/form-data does not have
    an available data handler. Valid data_handlers are application/json,
    application/x-www-form-urlencoded." <at /usr/local/lib/perl5/Catalyst.pm line 2420>
```

Also, add tests for multi-part file uploads, to ensure that the content
of uploaded files is left alone, but any other normal POST parameters
are still scrubbed.
@bigpresh bigpresh mentioned this issue Sep 19, 2023
Merged
bigpresh added a commit that referenced this issue Sep 19, 2023
@bigpresh
Only call body_data if we have a data handler #4
d48959f 
Only call `$c->req->body_data` if the request content type is one
there's a data handler for - otherwise we'll cause an exception e.g.:

```
  [error] Caught exception in engine "multipart/form-data does not have
    an available data handler. Valid data_handlers are application/json,
    application/x-www-form-urlencoded." <at /usr/local/lib/perl5/Catalyst.pm line 2420>
```

Also, add tests for multi-part file uploads, to ensure that the content
of uploaded files is left alone, but any other normal POST parameters
are still scrubbed.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@bigpresh