Skip to content

Underscore in login results in "Bad request!" Error when trying to access API #1955

Closed
Closed
Underscore in login results in "Bad request!" Error when trying to access API#1955
Assignees
Alkarex
Labels
API 🤝API for other clientsSecurity 🛡️
Milestone
1.11.2
@Soul6in6Gun

Description

@Soul6in6Gun
Soul6in6Gun
opened on Jul 5, 2018

Running on nginx with php-fpm
nginx vhost config:

server {
        server_name rss.;
        listen 443 ssl;
        root /var/www/rss/p/;
        index index.php index.html index.htm;
        client_max_body_size 200M;

location = / {
        try_files $uri $uri/ index.php;
} 


location ~ ^(.+?\.php)(/.*)?$ {
        fastcgi_pass unix:/var/run/www.sock;
        fastcgi_index   index.php;

        fastcgi_param   SCRIPT_FILENAME    $document_root$fastcgi_script_name;
        fastcgi_param   SCRIPT_NAME        $fastcgi_script_name;
        fastcgi_param PATH_INFO $2;

        fastcgi_buffer_size 128k;
        fastcgi_buffers 256 16k;
        fastcgi_busy_buffers_size 256k;
        fastcgi_temp_file_write_size 256k;

        include fastcgi_params;
}

    location ~ /\.ht {
      deny  all;
    }
}

log_api.txt:

[Thu, 05 Jul 2018 23:48:38 +0200] [warning] --- badRequest() Array
(
    [date] => 2018-07-05T23:48:38+02:00
    [headers] => Array
        (
            [Accept] => */*
            [User-Agent] => curl/7.58.0
            [Host] => rss.
        )

    [_SERVER] => Array
        (
            [USER] => www-data
            [HOME] => /var/www
            [PATH_TRANSLATED] => /var/www/rss/p/accounts/ClientLogin
            [ORIG_SCRIPT_FILENAME] => /var/www/rss/p/api/greader.php/accounts/ClientLogin
            [HTTP_ACCEPT] => */*
            [HTTP_USER_AGENT] => curl/7.58.0
            [HTTP_HOST] => rss.
            [REDIRECT_STATUS] => 200
            [SERVER_NAME] => rss.
            [SERVER_PORT] => 443
            [SERVER_ADDR] => 
            [REMOTE_PORT] => 54854
            [REMOTE_ADDR] => 
            [SERVER_SOFTWARE] => nginx/1.14.0
            [GATEWAY_INTERFACE] => CGI/1.1
            [HTTPS] => on
            [REQUEST_SCHEME] => https
            [SERVER_PROTOCOL] => HTTP/1.1
            [DOCUMENT_ROOT] => /var/www/rss/p
            [DOCUMENT_URI] => /api/greader.php/accounts/ClientLogin
            [REQUEST_URI] => /api/greader.php/accounts/ClientLogin?Email=Soul_in_Gun&Passwd=password
            [CONTENT_LENGTH] =>
            [CONTENT_TYPE] =>
            [REQUEST_METHOD] => GET
            [QUERY_STRING] => Email=Soul_in_Gun&Passwd=password
            [PATH_INFO] => /accounts/ClientLogin
            [SCRIPT_NAME] => /api/greader.php/accounts/ClientLogin
            [SCRIPT_FILENAME] => /var/www/rss/p/api/greader.php
            [FCGI_ROLE] => RESPONDER
            [PHP_SELF] => /api/greader.php/accounts/ClientLogin/accounts/ClientLogin
            [REQUEST_TIME_FLOAT] => 1530827318.4757
            [REQUEST_TIME] => 1530827318
        )

    [_GET] => Array
        (
            [Email] => Soul_in_Gun
            [Passwd] => password
        )

    [_POST] => Array
        (
        )

    [_COOKIE] => Array
        (
        )

    [INPUT] =>
)

But when i created another user it worked well, same as "PASS" reports from /api/ testpages:

curl 'https://rss./api/greader.php/accounts/ClientLogin?Email=test&Passwd=password'
SID=test/dc51ac05de7f8b730edac2a3e74014fa94dcd51b
Auth=test/dc51ac05de7f8b730edac2a3e74014fa94dcd51b

So i believe this bug is login-specific.

Metadata

Metadata

Assignees

Labels

API 🤝API for other clientsSecurity 🛡️

Type

No type

Projects

No projects

Milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions