I'm building a small webapplication which should store urls as input of a form. Sometimes urls can have attributes, parameters etc. like https:/www.stackoverflow.com/search?q=This+could+be+a+very+long+string. But some 'experts' could make use out of the missing validator, which checks the length of the string. Otherwise a limitation would may let occur an error if the url is to long.
I'm using for now SQLite3, but the solution should work database-independent.
Related
I'm trying to access a SSPRS report that has the option to select the year and the month by adding the parameters in the URL as ¶m=value but I always get the default.
This are the parameters and I know I'm sending the correct values in the URL.
This is the report panel where I can select the Year and Month, I'm trying to get the specific report that I need by passing those parameters in the URL.
What could I be doing wrong?
Thank you everyone.
There are a couple of ways these go wrong, I'm guessing your problem is URL encoding of your date parameter, but I'll give you other stuff too. Here is a working URL with 3 parameters: a date, a string, and an integer.
https://db01.MyCompany.com/ReportServer_Prod?/Reports/R440_OutstandingRecp¶mDateEnd=12%2f31%2f2015¶mPropLiab=Property¶mRepPeriod=1
The key parts of this URL:
"https://db01.MyCompany.com/ReportServer_Prod?/" - db01.MyCompany.com is our database VM, and I'm using the "Prod" (production) instance of SQL on it.
NOTE: Check your Reporting Services Configuration application and look at the "Web Service URL" to get what "ReportServer_Prod" is on your installation.
"?/Reports/" is the path to the virtual directory, note that this is different from the path a browser would normally use. Normally my path would be "ReportServer_Prod/Pages/Report.aspx?ItemPath=%2fReports%2fR440_OutstandingRecp" if I was just viewing this from the Reporting Services interface.
Parameters are separated by "&" and it's "ParamName" "=" "ParamValue" so "¶mPropLiab=Property¶mRepPeriod=1" are the string and integer parameters respectively.
Lastly, parameter values are URL encoded if necessary. Mostly it doesn't show up, but for dates and some strings, it becomes necessary. We can't send something like "12/31/2015" because it looks like part of the path, we need a URL encoded string like "12%2f31%2f2015"
Hopefully one (or more) of these were what you needed, reply in the comments if it's still not working or if you need more explanation of why the parts are what they are.
EDIT: One more thing, if a parameter has a "Display" and a "Value" (i.e. in a drop down list) you must pass the value, not the display.
EDIT: I can't make the comment stop hiding my URL, so I'll put it here
WHAT WAS TRIED
https://slo2000/Reports_TECOVA?/Reports/TEXO%20CVA%20Reports%2fTEXO_London_B_CVA_Report&ReportMonth=January&ReportYear=2020
https://slo2000/Reports_TECOVA?/Reports/TEXO%20CVA%20Reports/TEXO_London_B_CVA_Report&ReportMonth=January&ReportYear=2020
https://slo2000/ReportServer_TECOVA?/Reports/TEXO+CVA+Reports/TEXO_London_B_CVA_Report&ReportMonth=January&ReportYear=2020
WHAT WORKS (From #Nacho in comments, brought here for visibility)
http://slo2000/ReportServer_TECOVA/Pages/ReportViewer.aspx?%2TEXO+CVA+Reports%2fTEXO_London_B_CVA_Report&rs:Command=Render&ReportMonth=January&ReportYear=2020
In my angular application, I need to make GET call to a Tomcat server. This GET call requires query parameters which could contain special characters too like "+", "/", "/+"
GET call is being made from angular controller using $window.open with target as "_blank"
Currently the redirection is getting failed without any encoding.
So, I added encoding in .js file before the GET call is being made by using encodeURIComponent.
Then I added decoding logic using URLDecode.decode in backend java code to decode query parameters.
But still it doesn't work.
It works only if I encode query parameters twice within the .js file using encodeURIComponent twice.
I am trying to find the root cause for double encoding but no luck yet. I would greatly appreciate if anyone could share any inputs.
Made it work by adding a * in path parameter in app.js. Adding a star means that the request will include multiple path parameters separated by /, and so angular will not try to encode / in the request.
Double encoding could also work but then the server side logic has to be modified to decode the request parameters twice and replace %2B2F by %2F
I am surprised that when I submit a variable with an identical string value it is rejected when the string is accepted in google oauth
For example
$client->setClientSecret('xDDDDDDD-Tcdfgtrrfftr');
is accepted where with the same string value stored in the variable as follows
$client->setClientSecret('{$domain->GooglePlusSecret}');
is rejected.
Anyway to write this to get around it? I serve multiple domains through the same root folder and software and want to set up for individual oauths as well ???
I'm assuming you're using PHP here, since that's what your code looks like.
Single quoted strings do not have variables interpreted. The reason your OAuth token doesn't work is because you are using the literal string {$domain->GooglePlusSecret}.
You should change your code to either $client->setClientSecret($domain->GooglePlusSecret); or $client->setClientSecret("{$domain->GooglePlusSecret}");.
I'm running an app with Sinatra/backbone.
Let's say I visit the page http://localhost:3000/cases/1/read?name=Some%20Guy that is using the name parameter to display data on the page.
Does this present an XSS issue?
I'm just trying to send data from one page to another through a button click with the param data.
A quick test is to try the URL
http://localhost:3000/cases/1/read?name=<script>alert('foo');</script>
If the script executes and an alert popup appears, then XSS is definitely possible.
Other XSS patterns are possible too depending on where the name value is output.
You should output encode to prevent this type of attack. The encoding to use depends on the language context of your output (if is it JavaScript, HTML, or CSS, etc). e.g. " becomes " in HTML, but \x22 in JavaScript and JSON. The correct encoding prevents an attacker being able to escape out of the context and inject their own scripts. You should also set the charset to UTF-8 to prevent some UTF-7 filter evasion attacks.
Not necessary. All dependence on which way data shows to user. If you keep in mind, that data can be wrong and for example escape string before output - it will be ok.
I have implemented a generic blob serving handler as mentioned in the appengine docs. The handler will serve any blob to you, as long as you know that blob's key string. I am using it to easily compose URLs that clients can use to download their files. If client A inspects the URL to download their file and finds their blob key (i.e. 1CX2kh468IDYKGcDUiq5c69u8BRXBtKBYcIaJkmSbSa4QY096gGVaYCZJjGZUpDz == str(BlobKey)), can they somehow reverse-engineer this key and easily construct another key that can be used to download client B's files? Or does the key have a random component added?
For reference, there is this note about str(db.Key), which is what raises my question:
Note: The string representation of a key looks cryptic, but is not
encrypted! It can be converted back to the raw key data, both kind and
identifier. If you don't want to expose this data to your users (and
allow them to easily guess other entities' keys), then encrypt these
strings or use something else.
I am creating the files like this, which does not specify a filename parameter, so I think the question boils down to, how does create() "pick" a filename when one is not specified? I suppose I could generate a random filename and pass it in here to be doubly sure this is secure.
file_name = files.blobstore.create(mime_type='application/octet-stream')
BlobKeys are non guessable. If a user has one key, that in no way enables them to guess another key. Unlike datastore keys, which contain full path information, BlobKeys do not encode any such data. You can share them safely without risk of a user doing an attack as you describe.
(I could not locate docs for these claims - this is based on my recollection.)
Assign a filename when creating a blob:
name = .....
file_name = files.blobstore.create(mime_type='application/octet-stream', _blobinfo_uploaded_filename=name)
And you do not need to use str(BlobKey). The BlobKey can be part of your serving url