ruby-on-rails - 拯救一个 ActionController::BadRequest

标签 ruby-on-rails security

我正在运行一个 rails 应用程序,我有一个简单的显示操作,其中的代码类似于以下内容:

@post = Post.find(params[:id])

所以如果你去帖子/1 例如,如果有帖子,您将看到该帖子。

我可以捕获无效的参数 [:id] 或无效的参数,但我注意到一些奇怪的事情。昨天有人试图通过我这样的事情:
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++Result:+%ED%E5;

我收到一个 ActionController 错误请求异常。当我访问网址时 /posts/++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++结果:+%ED%E5; 我看到一个空白页,而不是我在类似错误中遇到的典型 404。我还注意到,使用 param 它不会进入 post controller show action,无论是应用程序 Controller (我也试图从那里拯救它)。我想这是我拥有的一些 gem 的机架异常,我不知道如何挽救它。

这是我的整个错误响应:
Started GET "/blog/+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++Result:+%ED" for 192.168.1.105 at 2014-03-18 09:45:42 +0200

ActionController::BadRequest (ActionController::BadRequest):
  actionpack (4.0.2) lib/action_dispatch/routing/route_set.rb:37:in `block in call'
  actionpack (4.0.2) lib/action_dispatch/routing/route_set.rb:33:in `each'
  actionpack (4.0.2) lib/action_dispatch/routing/route_set.rb:33:in `call'
  actionpack (4.0.2) lib/action_dispatch/journey/router.rb:71:in `block in call'
  actionpack (4.0.2) lib/action_dispatch/journey/router.rb:59:in `each'
  actionpack (4.0.2) lib/action_dispatch/journey/router.rb:59:in `call'
  actionpack (4.0.2) lib/action_dispatch/routing/route_set.rb:680:in `call'
  meta_request (0.2.8) lib/meta_request/middlewares/app_request_handler.rb:13:in `call'
  rack-contrib (1.1.0) lib/rack/contrib/response_headers.rb:17:in `call'
  meta_request (0.2.8) lib/meta_request/middlewares/headers.rb:16:in `call'
  meta_request (0.2.8) lib/meta_request/middlewares/meta_request_handler.rb:13:in `call'
  bullet (4.7.1) lib/bullet/rack.rb:12:in `call'
  warden (1.2.3) lib/warden/manager.rb:35:in `block in call'
  warden (1.2.3) lib/warden/manager.rb:34:in `catch'
  warden (1.2.3) lib/warden/manager.rb:34:in `call'
  rack (1.5.2) lib/rack/etag.rb:23:in `call'
  rack (1.5.2) lib/rack/conditionalget.rb:25:in `call'
  rack (1.5.2) lib/rack/head.rb:11:in `call'
  actionpack (4.0.2) lib/action_dispatch/middleware/params_parser.rb:27:in `call'
  actionpack (4.0.2) lib/action_dispatch/middleware/flash.rb:241:in `call'
  rack (1.5.2) lib/rack/session/abstract/id.rb:225:in `context'
  rack (1.5.2) lib/rack/session/abstract/id.rb:220:in `call'
  actionpack (4.0.2) lib/action_dispatch/middleware/cookies.rb:486:in `call'
  activerecord (4.0.2) lib/active_record/query_cache.rb:36:in `call'
  activerecord (4.0.2) lib/active_record/connection_adapters/abstract/connection_pool.rb:626:in `call'
  activerecord (4.0.2) lib/active_record/migration.rb:369:in `call'
  actionpack (4.0.2) lib/action_dispatch/middleware/callbacks.rb:29:in `block in call'
  activesupport (4.0.2) lib/active_support/callbacks.rb:373:in `_run__44017112__call__callbacks'
  activesupport (4.0.2) lib/active_support/callbacks.rb:80:in `run_callbacks'
  actionpack (4.0.2) lib/action_dispatch/middleware/callbacks.rb:27:in `call'
  actionpack (4.0.2) lib/action_dispatch/middleware/reloader.rb:64:in `call'
  actionpack (4.0.2) lib/action_dispatch/middleware/remote_ip.rb:76:in `call'
  better_errors (1.1.0) lib/better_errors/middleware.rb:58:in `call'
  actionpack (4.0.2) lib/action_dispatch/middleware/debug_exceptions.rb:17:in `call'
  actionpack (4.0.2) lib/action_dispatch/middleware/show_exceptions.rb:30:in `call'
  railties (4.0.2) lib/rails/rack/logger.rb:38:in `call_app'
  railties (4.0.2) lib/rails/rack/logger.rb:20:in `block in call'
  activesupport (4.0.2) lib/active_support/tagged_logging.rb:67:in `block in tagged'
  activesupport (4.0.2) lib/active_support/tagged_logging.rb:25:in `tagged'
  activesupport (4.0.2) lib/active_support/tagged_logging.rb:67:in `tagged'
  railties (4.0.2) lib/rails/rack/logger.rb:20:in `call'
  quiet_assets (1.0.2) lib/quiet_assets.rb:18:in `call_with_quiet_assets'
  actionpack (4.0.2) lib/action_dispatch/middleware/request_id.rb:21:in `call'
  rack (1.5.2) lib/rack/methodoverride.rb:21:in `call'
  rack (1.5.2) lib/rack/runtime.rb:17:in `call'
  activesupport (4.0.2) lib/active_support/cache/strategy/local_cache.rb:83:in `call'
  rack (1.5.2) lib/rack/lock.rb:17:in `call'
  actionpack (4.0.2) lib/action_dispatch/middleware/static.rb:64:in `call'
  rack (1.5.2) lib/rack/sendfile.rb:112:in `call'
  railties (4.0.2) lib/rails/engine.rb:511:in `call'
  railties (4.0.2) lib/rails/application.rb:97:in `call'
  rack (1.5.2) lib/rack/content_length.rb:14:in `call'
  puma (2.7.1) lib/puma/server.rb:486:in `handle_request'
  puma (2.7.1) lib/puma/server.rb:357:in `process_client'
  puma (2.7.1) lib/puma/server.rb:250:in `block in run'
  puma (2.7.1) lib/puma/thread_pool.rb:92:in `call'
  puma (2.7.1) lib/puma/thread_pool.rb:92:in `block in spawn_thread'

知道如何用 404 拯救这个并避免空白页吗?

最佳答案

好的,我发现如果你传递了 %ED 之类的东西,它是一个 400 错误的请求,所以我刚刚创建了一个 400 静态页面,并在我的异常通知中添加了以下内容:

  Myapp::Application.config.middleware.use ExceptionNotification::Rack,
  :ignore_exceptions => ['ActionController::BadRequest'] + ExceptionNotifier.ignored_exceptions,
  :ignore_crawlers => %w{Googlebot bingbot},
  :email => {
    :email_prefix => "[Myapp.com Exception Notifier] ",
    :sender_address => %{"myapp.com" <info@myapp.com>},
    :exception_recipients => %w{myemail@myapp.com}
  }

关于ruby-on-rails - 拯救一个 ActionController::BadRequest,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/22473768/

上一篇:iphone - 从 Nib 加载 UITableView

下一篇:Silverlight 应用程序导致 Internet Explorer 关闭

相关文章:

javascript - 在 Rails 中渲染通过 Pusher 传递的对象

ruby-on-rails - 将查询结果追加到第一个查询结果的末尾

ruby-on-rails - 哈希数组的 transform_keys

php - 防止服务器端脚本、XSS

c - 如何在格式字符串攻击中将值写入地址

ruby-on-rails - 行 "get '/patients/:id', 到 : 'patients#show' , 是什么 : 'patient' "do?

javascript - jQuery 无法从 PHP 脚本读取 JSON 响应

java - 私有(private)查询方式是否会增加SQL注入(inject)攻击风险?

php - 服务器端执行用户提交的代码

mysql - 存储双向密码最安全的方法是什么?

©2024 IT工具网  联系我们