Skip to content

setting the same param to an array and a hash confuses rack

. Jun 18 04:23:25 wallaby webapp[21825]: Started GET "/en/tickets/index2.php?_SERVER[]=&_SERVER[REMOTE_ADDR]='.system('id').exit().'&option=wrapper&module[module]=1" for 0.0.0.0 at 2016-06-18 04:23:25 +0000
. Jun 18 04:23:25 wallaby webapp[21825]: TypeError (expected Hash (got Array) for param `_SERVER'):
 vendor/bundle/ruby/2.1.0/gems/rack-1.4.7/lib/rack/utils.rb:140:in `normalize_params'
 vendor/bundle/ruby/2.1.0/gems/rack-1.4.7/lib/rack/utils.rb:107:in `block in parse_nested_query'
 vendor/bundle/ruby/2.1.0/gems/rack-1.4.7/lib/rack/utils.rb:104:in `each'
 vendor/bundle/ruby/2.1.0/gems/rack-1.4.7/lib/rack/utils.rb:104:in `parse_nested_query'
 vendor/bundle/ruby/2.1.0/gems/rack-1.4.7/lib/rack/request.rb:332:in `parse_query'
 vendor/bundle/ruby/2.1.0/gems/actionpack-0.0.0.0/lib/action_dispatch/http/request.rb:275:in `parse_query'
 vendor/bundle/ruby/2.1.0/gems/rack-1.4.7/lib/rack/request.rb:186:in `GET'
 vendor/bundle/ruby/2.1.0/gems/actionpack-0.0.0.0/lib/action_dispatch/http/request.rb:231:in `GET'
 vendor/bundle/ruby/2.1.0/gems/actionpack-0.0.0.0/lib/action_dispatch/http/parameters.rb:10:in `parameters'
 vendor/bundle/ruby/2.1.0/gems/actionpack-0.0.0.0/lib/action_dispatch/http/filter_parameters.rb:31:in `filtered_parameters'
 vendor/bundle/ruby/2.1.0/gems/actionpack-0.0.0.0/lib/action_controller/metal/instrumentation.rb:21:in `process_action'
 vendor/bundle/ruby/2.1.0/gems/actionpack-0.0.0.0/lib/action_controller/metal/params_wrapper.rb:207:in `process_action'

vendor/bundle/ruby/2.1.0/gems/actionpack-0.0.0.0/lib/abstract_controller/base.rb:121:in process' vendor/bundle/ruby/2.1.0/gems/actionpack-0.0.0.0/lib/abstract_controller/rendering.rb:45:in process' vendor/bundle/ruby/2.1.0/gems/actionpack-0.0.0.0/lib/action_controller/metal.rb:203:in dispatch' vendor/bundle/ruby/2.1.0/gems/actionpack-0.0.0.0/lib/action_controller/metal/rack_delegation.rb:14:in dispatch' vendor/bundle/ruby/2.1.0/gems/actionpack-0.0.0.0/lib/action_controller/metal.rb:246:in block in action' vendor/bundle/ruby/2.1.0/gems/actionpack-0.0.0.0/lib/action_dispatch/routing/route_set.rb:73:in call' vendor/bundle/ruby/2.1.0/gems/actionpack-0.0.0.0/lib/ac

(from redmine: created on 2016-08-19, closed on 2016-11-17)