Giters

phoenixframework / phoenix_live_dashboard

Realtime dashboard with metrics, request logging, plus storage, OS and VM insights

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

Phoenix.LiveDashboard.RequestLogger attempting to parse non UTF-8 urlencoded params

scottmando2000 opened this issue · comments

commented

Environment

Make sure you are using the latest LiveView and Dashboard versions before continuing.

  • Elixir version (elixir -v): 1.14
  • Phoenix version (mix deps): 1.6.12
  • Phoenix LiveView version (mix deps): 0.17.11
  • Phoenix Dashboard version (mix deps): 0.6.5
  • Operating system: Ubuntu 22.04 LTS
  • Browsers you attempted to reproduce this bug on (the more the merrier): Firefox, Curl

Actual behavior

Phoenix.LiveDashboard.RequestLogger attempting to validate utf8 of every parameter

Example URL that triggers this result in a fresh phoenix project.
http://localhost:4000/announce?info_hash=%13%E9%91%E8%998%C8%E2k%1A%10%C2%BE%154it%E3%5E%CF

Elixir Forum thread explaining

Expected behavior

Only validate_utf8 on parameters relating to the request logger configuration in endpoint.ex

commented

I don't think you should generally allow invalid UTF-8 into the system through URL parameters. If you want to receive a hash, it is best to Base encode64 before. If you want to go ahead with this anyway, I recommend removing the :param_key from the RequestLogger, so it works exclusively based on cookies. :)

commented

I don't think you should generally allow invalid UTF-8 into the system through URL parameters. If you want to receive a hash, it is best to Base encode64 before. If you want to go ahead with this anyway, I recommend removing the :param_key from the RequestLogger, so it works exclusively based on cookies. :)

Thanks, José, for your reply.

I just tried your solution, and it did work, but I had some notes about it since it's not the best solution for this problem.

I don't control the parameter data types, these are requests coming directly from BitTorrent clients such as Transmission BT and µTorrent. A more ideal solution would be an option in the request logger to disable utf8 validation for specific parameters.

This is a specification that has been around since 2008, and losing the ability to use the request logger with the URL parameter isn't the ideal solution since all the requests are over HTTP. Especially when the purpose of the RequestLogger is to help debug. And as far as I am aware, it's not possible to set cookies on any torrent clients.