rails: URLs containing certain character codes break routing, DOS potential

  1. Create an empty rails project (I’m using Rails 3.1.3), then uncomment the default “legacy” route in config/routes.rb so that there is at least one active route defined.
  2. Fire up rails server
  3. Now visit http://localhost:3000/foo%E2%EF%BF%BD%A6.

The result is an ArgumentError: “(invalid byte sequence in UTF-8)”

This may open up Rails sites which use email error notifications to DOS attacks via the repeated requesting of such URLs.

Note that this is a more general case of #4379, which I found affected action-cached URLs. Both that issue and this one were brought to my attention by Bingbot requesting these kinds of invalid URLs from my production Rails site, resulting in error emails.

About this issue

  • Original URL
  • State: closed
  • Created 12 years ago
  • Comments: 17 (12 by maintainers)

Most upvoted comments

We should probably return a 400 Bad Request for this and #4379.

+2
pixeltrix on May 20, 2012

As an aside, we’re dealing with a similar issue in our application where bots/spiders are trying to access routes with invalid UTF8 characters at a fairly high rate. It would be nice to be able to block this or just spit out a 404 rather than raising an error 1000s of times.

+1
TheCorp on Jan 17, 2012

I don’t think we’re disagreeing.

In the general case of encoding/decoding params, I accept your argument; I don’t believe I even suggested that Rails should handle every encoding-related ArgumentError.

My point - with which you appear to agree - is that the routing code is a Rails-provided black box beyond the influence of application code, and should therefore always yield a RoutingError or a valid route.

+1
purcell on Jan 13, 2012
Read more comments on GitHub
← rails: Upgrading Rails to v6-beta3 causes uninitialized constant ActionText::Engine::ApplicationController (NameError)
rails: Using accepts_nested_attributes for and :reject_if => :all_blank on deep nesting →