Defect #27202

if attachment filename contain semicolon ";" we get RecodNotFound error on web server puma

Added by Vladimir Kh about 5 years ago. Updated over 2 years ago.

Status:ClosedStart date:
Priority:NormalDue date:
Assignee:-% Done:

0%

Category:Attachments
Target version:-
Resolution: Affected version:

Description

AttachmentController raise RecordNotFound if attachment filename does not match with http request parameter "filename"

  def find_attachment                                                                                                                                                                      
    @attachment = Attachment.find(params[:id])                                                                                                                                             
    # Show 404 if the filename in the url is wrong                                                                                                                                         
    raise ActiveRecord::RecordNotFound if params[:filename] && params[:filename] != @attachment.filename                                                                                   
    @project = @attachment.project                                                                                                                                                         
  rescue ActiveRecord::RecordNotFound                                                                                                                                                      
    render_404                                                                                                                                                                             
  end    

if http parameter contain semicolon, webserver puma - drop it and characters after.

According to rfc1738 (https://tools.ietf.org/html/rfc1738#section-3.3) such behavior is correct, because semicolon is reserved symbol, and must be encoded in %3B (in url)

Puma issue (https://github.com/puma/puma/issues/1122) - here is little bit more information about trouble.

I try use attachment_path helper in app/views/attachments/_links.html.erb (instead hash in link_to), and it seems to be improve situation, url was encoded right, with %3B instead ";"

puma.png (20.1 KB) Toshi MARUYAMA, 2020-03-21 12:14

History

#1 Updated by Toshi MARUYAMA about 5 years ago

  • Description updated (diff)
  • Category set to Attachments

#2 Updated by Vladimir Kh about 5 years ago

A temporary solution for me:
./config/initializers/semicolon-fix.rb


class ActionDispatch::Journey::Router::Utils::UriEncoder

  PUMASEGMENT  = /[^#{UNRESERVED}#{SUB_DELIMS.gsub(';','')}:@]/.freeze

  def escape_segment(segment)
    escape(segment, PUMASEGMENT)
  end
end

#3 Updated by Toshi MARUYAMA over 2 years ago

  • File puma.png added
  • Status changed from New to Closed

Also available in: Atom PDF