Strings going through REST API should be sanitized before sending #4076

ichorid · 2018-11-30T18:16:58Z

At this moment, when we send a string through the REST API we don't check if the string contains symbols that participate in request parsing, such as &?=, etc.
Consequently, the string could be broken down in a wrong way and/or manipulated for an injection attack.
For example, trying to download a torrent with & in its name results in a broken title in the downloads list that only contains the first word. (e.g. Cucumbers&Tomatoes will result in adding the download as just Cucumbers )

To solve it, we have to filter all our REST strings through urlencode filter, like described in
https://stackoverflow.com/questions/5607551/how-to-urlencode-a-querystring-in-python

Related to #3406

The text was updated successfully, but these errors were encountered:

ichorid · 2019-02-23T10:58:17Z

Mostly solved by #4090. Solving it completely. Would require a complete redesign of our REST endpoints implementation. This work should be done as a part of formalization effort, like #3406

ichorid added the type: bug label Nov 30, 2018

ichorid added this to the V7.2: Gigachannels milestone Nov 30, 2018

ichorid changed the title ~~Strings going throug REST API should be sanitized before sending~~ Strings going through REST API should be sanitized before sending Jan 13, 2019

ichorid self-assigned this Jan 17, 2019

ichorid closed this as completed Feb 23, 2019

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Strings going through REST API should be sanitized before sending #4076

Strings going through REST API should be sanitized before sending #4076

ichorid commented Nov 30, 2018

ichorid commented Feb 23, 2019

Strings going through REST API should be sanitized before sending #4076

Strings going through REST API should be sanitized before sending #4076

Comments

ichorid commented Nov 30, 2018

ichorid commented Feb 23, 2019