Forum: Ruby on Rails Weird params from Safari/525.20 on 10.5.3, {"user"=>"foo=x&bar=y"}, {"ids" => {"0"=>"123", "1"=>"45

Announcement (2017-05-07): www.ruby-forum.com is now read-only since I unfortunately do not have the time to support and maintain the forum any more. Please see rubyonrails.org/community and ruby-lang.org/en/community for other Rails- und Ruby-related community platforms.
Henrik -. (Guest)
on 2008-11-17 17:42
(Received via mailing list)
I've seen a bunch of logged exceptions the last few months, where
Rails expects array params like
{ "ids" => ["123", "456"] }
but gets
{ "ids" => { "0" => "123", "1" => "456"] }
or expects hash params like
{ "user" => { "foo" => "x", "bar" => "y" } }
but gets
{"user" => "foo=x&bar=y" }

So what was supposed to be an array (from checkboxes named "ids[]")
becomes a hash from ordinals to values instead. And what was supposed
to be a nested hash becomes a flat hash, with parts unparsed.

The RAW_POST_DATA, according to Exception Logger, is bad, not just the
parsed data:
authenticity_token=somevalue&user=foo%3Dx%26bar%3Dy

These seem to have in common the user agent
Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_5_3; en-us) AppleWebKit/
525.18 (KHTML, like Gecko) Version/3.1.1 Safari/525.20

I've been unable to reproduce with the Safari version I have, which is
different by the OS X version and .1 on Safari:
Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_5_5; en-us) AppleWebKit/
525.18 (KHTML, like Gecko) Version/3.1.2 Safari/525.20.1

I haven't been able to find a changelog for Safari that says what
changed between these versions.

I'm not 100% sure whether this is in fact a bug in a specific version
of Safari (or in OS X 10.5.3), or if this is due to some kind of
automation attempts, or what. Some of the requests were a little
suspicious (numericals at end of username etc), but they could well
have been valid, and many requests do not look suspicious, other than
the weird params.

It's not just on user signup but also for user profile updating,
message sending and message deletion. I can't recall that I've seen
the issue outside these four actions. Signup and message sending are
obvious targets for automation/spam; profile updating and message
deletion less so.

It's not entirely impossible that this is influenced by something in
our setup. We've moved servers and changed some infrastructure around
in the same timeframe we started seeing this, but there wasn't a huge
spike of these issues at some point where we could connect it to a
change we did. And again, I can't reproduce with my own Safari and
haven't seen it from another user agent.

I'm writing in part just to get this googleable if someone else has
the same issue, but also to ask if anyone else has seen it or knows
more.
Henrik -. (Guest)
on 2008-11-17 17:49
(Received via mailing list)
On Mon, Nov 17, 2008 at 4:41 PM, Henrik N <removed_email_address@domain.invalid> 
wrote:
> It's not just on user signup but also for user profile updating,
> message sending and message deletion.

And the message sending did not have spam content.
Henrik -. (Guest)
on 2008-11-19 10:05
(Received via mailing list)
On Nov 17, 4:41 pm, Henrik N <removed_email_address@domain.invalid> wrote:
> So what was supposed to be an array (from checkboxes named "ids[]")
> becomes a hash from ordinals to values instead. And what was supposed
> to be a nested hash becomes a flat hash, with parts unparsed.
> [snip]

> These seem to have in common the user agent
> Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_5_3; en-us) AppleWebKit/
> 525.18 (KHTML, like Gecko) Version/3.1.1Safari/525.20

Now seen it (hash) from
Mozilla/5.0 (Macintosh; U; Intel Mac OS X; en-US; rv:1.8.1.14) Gecko/
20080404 Firefox/2.0.0.14
as well.
This topic is locked and can not be replied to.