BlueCloth throws exceptions! Be careful! (was: auto_link fai

On 12/15/05, Sam J. [email protected] wrote:

markdown couldn’t handle an acute accent (`) e.g.


It seems that acute accents (or backticks) in Markdown signify code
segments, and it seems there’s an open ticket for this:


I would just like to bring this to everyone’s attention again because
this problem just came up on my own site. The entire front page was
brought down by a single post which had the string “``” in it,
although the “Hawai`i” example above works just as well.

I did not and still do not expect a text formatting function like
markdown to throw exceptions, but it does. All you need are unmatched
back-ticks in the text, although if you search the source of
bluecloth.rb, you can find plenty of instances of the word “raise”…

I searched around on Google for sites offering Markdown styling of
comments, and brought a few preview pages down with a message as
simple as “``Thanks.‘’” I wasn’t rude enough to experiment by actually
publishing the comment, but it clearly would have brought down the
post being commented upon, any administration interface which
attempted to render the comment, etc.

Basically, if you are using BlueCloth, treat it as unsafe. Catch
exceptions. You’ll save yourself a few frustrating “Application Error”
pages on some of the rare edge cases, and protect yourself from one of
the simplest DoS attacks I’ve seen.



Tom L.