Watch those relative URLs with SES
Posted by
Brad Wood
Aug 09, 2008 10:21:00 UTC
I love infinite loops. They're sort of the black hole of programming. No one really knows what you code does when it reaches the last iteration of an infinite loop, but I speculate it has something to do with String Theory and unbounded time and space increasing proportionately to the rate of dense matter being compressed by gravitational forces so strong even light can't escape. Well, that's what I came up with off the top of my head anyway. Speaking of infinite loops, I found one happening on my server today.In an awkward sort of way, the CF community has been "enjoying" the latest round of SQL injection attacks like a frat boy enjoys his hazing/initiation. It's not fun, but you hope somehow it will gain you some respect. If that's true, then my server's been getting respected all over the place today by-- oh let's see, how did Ben Forta describe them...
Oh yes, "parasitic bottom-feeding bots created by
despicable scum-sucking feeble-excuse-for-a-carbon-based-life-form repugnant
socially-inept basement-dwelling death-penalty-deserving hacker-wannabes". That tirade tweaked a few people's perception of Ben's reserved professional manner. You get 'em Ben!
*Sigh* I've digressed. All this extra bot traffic brought out a little bug in one of the sites running on my server that I hadn't noticed before. I modified Justin Scott's filtering script a bit to log my SQL injection attempts to my database. More on those details tomorrow. Something wasn't quite right though. I was seeing a HUGE increase in my traffic and server utilization, but it wasn't matching the number of attacks I was receiving. I had something else draining my server albeit, probably a byproduct of the attacks.
Glancing through my Apache logs I noticed a similar URL being called over and over again by the same IP multiple times a second. Upon further inspection I found this site in particular used Search Engine Safe URLs. The long and short of it was, the code on this particular page would cflocation to "index.cfm" if it didn't think all the URL variables passed in were quite right. The problem with "index.cfm" is it is a relative path, and when you are using SES URLs it appears to your browser that you are in a non-existent subdirectory. Example, the URL your browser's address bar might read http://www.yoursite.com/products.cfm/product/foo/widget/bar/dr/who/. Your browser thinks you are 7 directories deep, but ColdFusion is really just serving up products.cfm and you are mincing the rest of the URL into variables. That can be a problem if you ask the browser to do a redirect based on a relative path.
In this particular file, the code intended to boot the users back out to the home page, but cflocation sends back a 302 response code to the browser with a location header of "index.cfm" which the browser promptly appended to the END of the URL and re-requested the page.
http://www.yoursite.com/products.cfm/product/foo/widget/bar/dr/who/index.cfm
Repeat Ad nauseam.
Our entire server usually doesn't see more than 50,000 total Apache requests a day. We processed over 2.5 Million today. The SQL injection attacks were bad enough, but we made it even worse by throwing a redirect loop of doom into the mix. Go us.
I fixed up the code by simply changing the cflocation tag to redirect to "/index.cfm" which instantly solved the problem. In the mean time, be cognizant of what your browser is thinking and ponder deep space.
William from Lagos
I always prefer using site relative URLs for my links