[web2py] Need help to understand (and reproduce) this error

Mon, 12 Sep 2016 06:13:09 -0700 

Hi there!
I have a simple view with a form (with GET method), in order to allow my 
visitors to do some search. 
The controller/function that processes the get is this:

def search():
    session.forget(response)
    query = "tsv @@ plainto_tsquery('%s')" % request.vars.q
    total = db.executesql('SELECT COUNT(*) FROM contenido WHERE %s' % query)
    results = db(query).select()
    return dict(results=results)

As you can see, I use a tsv field to implement postgresql full text search. 
The funcion is working ok.
But *yesterday, I had an attack attempt*, or something like that.  In just 
one hour, some robot sent a lot of queries to that URL, putting "garbage" 
in the "q" parameter.

How did I notice that? Well, *in just one hour around 500 error tickets 
were created* in the /errors folder. All the errors have this form:

   - unterminated quoted string at or near 
   "'../../../../../../../../../../windows/win.ini" LINE 1: ...tsv @@ 
   plainto_tsquery('../../../... ^
   - unterminated quoted string at or near 
   "'1some_inexistent_file_with_long_name" LINE 1: ...tsv @@ 
   plainto_tsquery('1some_ine... ^ 
   - unterminated quoted string at or near 
   "'../../../../../../../../../../etc/passwd" LINE 1: ...tsv @@ 
   plainto_tsquery('../../../... ^ 
   - invalid byte sequence for encoding "UTF8": 0xf0 0x20 0x20 0xf0
   - invalid byte sequence for encoding "UTF8": 0xf6 0x22 0x20 0x6f
   - invalid byte sequence for encoding "UTF8": 0xa0
   

*I've already tried to use the search form with those query strings, but I 
cannot reproduce the error.*
*How could the robot send those bytes to the query function?*

Of course I can add a try: except: block, however I was wondering how to 
reproduce the error, I wasn't able to do it.
Any help will be appreciated.

Thanks in advance!
Regards, 
Lisandro.

-- 
Resources:
- http://web2py.com
- http://web2py.com/book (Documentation)
- http://github.com/web2py/web2py (Source code)
- https://code.google.com/p/web2py/issues/list (Report Issues)
--- 
You received this message because you are subscribed to the Google Groups 
"web2py-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to web2py+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Reply via email to