In my project we are using WAF. Recently I found a bug that is, when we are adding multiple spaced words in a textbox for example
Hello there, this is a multi spaced word collection
.
and trying to saving it, the WAF blocks the request, but when we try to save the text without space (more than one continues spaces) like this :
Hello there, this is a multi spaced word collection .
it got saved.
I compared the formData from the network only the difference I could identify is the space. Why the WAF blocks the request? is that a built-in functionality to prevent cyber attacks?
Note: If I remove the extra spaces from my UI it works fine. So am very curious to know why the WAF blocks the request?
Related
So I'm using CodeMirror, and I'd like a way to omit certain edits from the undo state. In particular, I've got a situation where I want one keystroke to
Replace a portion of the mirror text AND
Auto-indent the fresh region
Doing this naively would mean that using the keystroke, then hitting undo would leave the mirror containing the new text without the indentation. I'd like a single undo to restore the initial text rather than going to the unindented version of the replaced text.
The only API-supported approach seems to be doing a .getHistory call before the indent, followed by a .setHistory call immediately afterwards, but the docs imply that this is a bad idea. Specifically, the effects of this are undefined if the contents of the mirror changed between .getHistory and .setHistory calls, which is the whole point in this situation.
There's also an addToHistory flag in the text marking API, but it's only available marking rather than arbitrary edits like indentation.
Is there a good way to do what I'm looking for here?
Changes made within a single operation will result in only a single history event.
If arranging for a single operation isn't viable, the origin field of a change (settable as an argument to replaceRange and replaceSelection, and in other cases a little more awkwardly by registering a beforeChange event handler) determines the type of history-event-combination that CodeMirror does. If you assign an origin that starts with an asterisk (*) character, subsequent changes with the same origin will be combined. If the origin starts with a +, subsequent same-origin changes will be combined when they occur within options.historyEventDelay milliseconds.
This is somewhat a duplicate of this question, but that question has no (valid) answer and is 1.5 years old so asking my own with hopes people have more info now.
If you are using multiple instances of a WebBrowser control, MSHTML, IHTMLDocument, or whatever... from inside the APP instance, mostly IInternetProtocol::Start, is there a way to know which instance is loading the resource? Or is there a way to use a different APP for each instance of the control, maybe by providing one via IDocHostUIHandler or ICustomDoc or otherwise? I'm currently using IInternetSession::RegisterNameSpace to make it process wide.
Optional reading below, don't feel you need to read it unless above isn't clear.
I'm working on a legacy (Win32 C++) email client that uses the MS ActiveX WebBrowser control (MSHTML or other names it goes by) to display HTML emails. It was saving everything to temp files, updating the cid: URLs, and then having the control load that. Now I want to do it the correct way, using APP. I've got it all working with some test code that just uses static variables/globals and loads one email.
My problem now is, the app might have several instances of the control all loading different emails (and other stuff) at the same time... not really multiple threads so much, just the asynchronous nature of the control. I can give each instance of the control a unique URL to load the email, say, cid:email-GUID, and then in my APP code I can use that URL to know which email to load. However, when it comes to loading any content inside the email, like attached images using src="cid:", those will not always be unique so I will not always know which image it is, for which email. I'd like to avoid having to modify the URLs of the HTML before displaying it (I'm doing that now for the temp file thing, but want to do it a better way).
IInternetBindInfo::GetBindString can return the referrer, BINDSTRING_XDR_ORIGIN, or the root URL, BINDSTRING_ROOTDOC_URL, but those require newer versions of IE and my legacy app must support older XP installs that might even have IE6 or IE7, so I'd rather not use these.
Tagged as TWebBrowser because that is actually what I'm using (Borland Builder 6 C++), but don't need answers specific to that platform.
As the Asynchronous Pluggable Protocol Handler us very low level, you cannot attach handlers individually to different rendering controls.
Here is a way to get the referrer:
Obtain BINDSTRING_HEADERS
Extract the referrer by parsing the line Referer: http://....
See also How can I add an extra http header using IHTTPNegotiate?
Here is another crazy way:
Create another Asynchronous Pluggable Protocol Handler by calling RegisterMimeFilter.
Monitor text/plain and text/html
Scan the incoming email source (content comes incrementally) and parse store all image links in a dictionary
In NameSpaceHandler you can use this dictionary to find the reference of any image resources.
Using Zend Framework 1.12, PHP 5.3.1. Specifying multiple mail recipients to Zend_Mail and using Smtp transport, the "To:" header contains a list of recipients separated by commas. E.g.
To: a#example.com,b#example.com
This appears to be correct syntax according to RFC 2822.
I've added DKIM signing (using https://github.com/louisameline/php-mail-signature), which works fine, producing passing signatures accepted by gmail and other verifiers with a single To: recipients. But for multiple recipents, the signature fails.
Sending signed mail to check-auth#verifier.port25.com returns an email to the Return-path containing, among results of various checks, the canonicalized version of headers and body that it computed. I see that it has added a space after each comma when canonicalizing the To: header (I'm specifying relaxed canonicalization for both headers and body). And indeed I hacked my signature generation to add that space when canonicalizing the To: header, and that solved the problem: the port25.com verifier, gmail and others now pass the signature.
But in any description I've seen of DKIM relaxed canonicalization, including a pretty careful reading of section 3.4 of RFC 6376, as well as the code in the signature class I downloaded from github referenced above, there is nothing that adds whitespace where none was present in the original; the specified canonicalizations are all about changing existing whitespace.
So it seems to me that the canonicalization being done by the port25 verifier is at odds with RFC 6376 - except that other DKIM verifiers like gmail, autorespond+dkim-relaxed#dk.elandsys.com, and http://www.appmaildev.com/en/dkim/ all agree on the final result (they don't show the canonicalizations that they performed like port25 does, but if I don't canonicalize with the space after the commas, they reject the signature).
Does anyone here have any insight into this? Since practice in the field appears to differ consistently with the RFC dated 2011, shouldn't the RFC be updated? And of course there is also the question of whether all commas in the To: header value should be canonicalized to comma-space before WSP is replaced by a single space, and whether any other headers are affected.
Summary of final resolution
Evan's answer was exactly right regarding the OP: my MTA was adding
the space, not the validator's canonicalization. I just had not
looked carefully enough at the To: header that actually had been
received.
But knowing that doesn't yield a completely trivial solution to the
problem of generating correct signatures. The "root" problem is that
Zend_Mail generates the address-list values in headers using a comma
without a following space as a separator - although it's perfectly
valid syntax, it's also perfectly valid for an MTA to introduce a
space after each one. And the relaxed canonicalization specified by
RFC 6376 and widely implemented does not accommodate such an MTA
rewrite. Changing the Zend_Mail code to use comma-space as the
separator would be trivial, except that it is done in the middle of a
fairly long and complex method that would involve major copy-paste to
override, which felt wrong. So what I ended up doing was to write a
pre-filter that puts the space in the headers before signing them.
Although it's not 100% perfect wrt all possible syntax variations
including comments, applying the following preg_replace to the values
of To:, Cc:, and Reply-To: headers does the trick for me:
preg_replace('/(#[a-z0-9]+(\.[a-z0-9-]+)*>?,)([^ ])/i', '\1 \3', $header_value)
What is your MTA, under which platform ?
I believe it may be the one modifying your headers, not the recipient applications.
Note : I am the maintainer of the library you mentioned.
I have to make a firefox addon that searches the loaded page against a list of words (potentially 6500 words) and highlight matches and show synonyms on hover.
So i am using HightlightRegex.js that traverses the dom and searches based on a regex which is using the regex \bMyWord\b.
The main problem is when testing the addon on a page that has many occurrences of the search word, Firefox hangs for a while (5-6 sec) and then highlights are shown. This is happening for 1 word so one can just imagine what will happen if i search 6500 words.
So is there any way that i can run the pageMod in a background thread or asynchronously and highlight words as they are matched without freezing the UI?
You can have a look at the add-on at https://builder.addons.mozilla.org/addon/1042263/latest/
Currently the add-on is not tied to separate tabs and run as a whole on the browser but i doubt that would cause Firefox to hang.
I need to do this as efficiently as possible so suggestion are very welcome.
DOM is generally not thread-safe and you cannot access it from anything other than the main thread. The only solution would be breaking up the work into smaller chunks and using setTimeout(..., 0) to run next chunk asynchronously, without blocking everything.
One thing you could try is useing the page-worker module to load the page and process it:
https://addons.mozilla.org/en-US/developers/docs/sdk/1.6/packages/addon-kit/page-worker.html
And, as Wladimir suggested, only use asynchronous code to search the document text to avoid locking up firefox.
As canuckistani hinted, the better solution requires only two synced DOM operations: reading and writing. Rip the entire page (or, even better, only its <body>) and send it through to an async worker or thread which will perform the highlighting. When it's done, the worker emits an event and passes the highlighted content, which the addon can now insert back into the page.
That way, the only synchronous operations done are fast, inexpensive ones, while the rest is done asynchronously, away from the main thread. However, canuckistani suggested to load the page in a page-worker: there is no need to do that, as the page is already loaded in a tab. Just load up a fake page and insert the actual content.
Iv'e currently been working on a relatively small project for my company to have a play with, its basically a proxy in node.js, the features at the moment are relatively simple
Caching
Http(s)
Blacklist
Configurable
etc.
Im at the stage where im building the blacklisting system, and my blacklist file is a plain file that would have each blacklisted site on a single line.
Now the blacklist would be constructed so that you could the following types blacklist values:
google.com
google.com/path
ww2.google.com/path
202.55.66.201
202.55.66.[100-200]
now within node.js when a request comes in i have available to me is the requested URL from the client side, this would then be looked up in the IP Cache file, if it does not exists it gets pinged and i get the IP for that request.
So have a few bits of information at hand, 1 being the domain, 2 being the IP, 3 being the port.
Now the problem is finding the fastest way to check these values against the file based blacklist.
As these values are not direct lookups im not sure if putting then into an object and doing:
if(ip in blacklist || domain in blacklist || fullUri in blacklist)
{
//block
}
Even if I did do that it would not really be beneficial as I cant check IP Ranges etc, it lacks support for the more demanding site blacklisting techniques.
I was thinking of some sort of database system but this is something I wanted to avoid, so basically what im asking is there some way to perform wild-card lookups on a datafile without causing too much overhead.
I think the more efficient way would be to loop each line of the file, and compare against your information - also would allow pattern matching - so in pseudo code:
each file as line
if line equal ip or line eq domain or line match 134.567.987.[0-9]{1-3}
then block and break
You can load the file on booting your nodejs process. You can then process the whole file and separate in on 3 arrays (IP, domains and ports).
Searching elements on memory is fast.
You can then have a setInterval that reloads the contents of the file and save it to the memory to get the latest blacklist.