Opened 14 years ago

Closed 14 years ago

#1705 closed defect (fixed)

MAPAGENT call crashes webservers (IIS & Apache)

Reported by: zspitzer Owned by:
Priority: high Milestone: 2.2
Component: Map Agent Version: 2.2.0
Severity: critical Keywords:
Cc: External ID:

Description

Attachments (1)

1705.patch (1.3 KB ) - added by jng 14 years ago.
Add exception handling in the Apache and ISAPI agents around the MapAgentGetParser::Parse call

Download all attachments as: .zip

Change History (9)

comment:1 by zspitzer, 14 years ago

it also occurs when appending that string to the version parameter

http://localhost:8008/mapguide/mapagent/mapagent.fcgi?OPERATION=GETDYNAMICMAPOVERLAYIMAGE&FORMAT=PNG&VERSION=2.1.0%a5%27%20having%201=1--&SESSION=70c85ffc-8760-11e0-8000-00237deca616_en_7F0000010AFC0AFB0AFA&MAPNAME=map&SEQ=0.23651071377519906&CLIENTAGENT=Ajax Viewer&BEHAVIOR=2&SETDISPLAYDPI=96&SETDISPLAYWIDTH=474&SETDISPLAYHEIGHT=444&SETVIEWSCALE=175421.11033589157&SETVIEWCENTERX=3549113&SETVIEWCENTERY=5805500&CLIENTAGENT=Ajax Viewer

comment:2 by zspitzer, 14 years ago

incidently, gzip compression reduces this down to 1.7mb #1652

comment:3 by brucedechant, 14 years ago

The SETVIEWCENTERX parameter you have in this request is not being properly created.

The "%a5'%20having%201=1--" is garbage that should not be part of the request parameter.

It should be a single numerical value like this: SETVIEWCENTERX=3549113

How are you generating this request?

comment:4 by zspitzer, 14 years ago

this was reported by a user on the mailing list, who had ordered some security checks http://osgeo-org.1803224.n2.nabble.com/mapagent-crashes-td6410737.html

comment:5 by jng, 14 years ago

I did some digging on this matter with a 2.2 branch copy.

The offending line is here:

http://trac.osgeo.org/mapguide/browser/branches/2.2/MgDev/Web/src/ApacheAgent/ApacheAgent.cpp#L153

This method is throwing a MgInvalidArgumentException with the error id MgInvalidStringConversion

The root location where this exception is thrown is at MgUtil::MultiByteToWideChar

http://trac.osgeo.org/mapguide/browser/branches/2.2/MgDev/Common/Foundation/System/Util.cpp#L287

The mgmapagent_handler() function does not have an exception handler for any MgException (or derivatives) and because of this the MgInvalidArgumentException that is thrown is unhandled and derails the Apache Web Server process

Perhaps we should have an exception handler for MgException here, and write out a bad request string response?

Perhaps something similar is happening with the ISAPI and CGI handlers?

comment:6 by brucedechant, 14 years ago

Thanks for digging into this. I agree that we should add exception handling because a bad request shouldn't crash the web server.

by jng, 14 years ago

Attachment: 1705.patch added

Add exception handling in the Apache and ISAPI agents around the MapAgentGetParser::Parse call

comment:7 by jng, 14 years ago

Ok, it seems this ticket is another case of the 2.2 branch being severely behind from the trunk version as the trunk already has these safeguards in place

http://trac.osgeo.org/mapguide/changeset/5071

So the fix is simply to backport this to the 2.2 branch, should a 2.2.x point release ever arise.

comment:8 by jng, 14 years ago

Resolution: fixed
Status: newclosed

Fixed in 2.2 branch r5928 Fixed in trunk ages ago r5071

Note: See TracTickets for help on using tickets.