Details
-
Bug
-
Resolution: Timed out
-
Medium
-
None
-
4.2
-
None
-
JAC
-
4.02
-
Severity 2 - Major
-
-
Description
I have been checking the last sets of JAC logs and I have been noticing WARN level messages such as
2010-09-01 01:28:40,800 http-172.16.3.44-9080-Processor65 WARN anonymous 88x2037118x2 1rek059 /secure/QuickSearch.jspa [jira.jql.query.LikeQueryFactory] Unable to parse the text '[url=http://adderall.iforums.us/#]generic form of adderall[/url] http://valium.iforums.us/# valium no prescription <a href="http://vicodin.iforums.us/#">order vicodin without prescription</a> http://vicodin.iforums.us/# what is vicodin <a href="http://hydrocodone.iforums.us/#">acetaminophen bitartrate hydrocodone vicodin</a> <a href="http://adderall.iforums.us/#">adderall worsening desire to use alcohol</a> [url=http://valium.iforums.us/#]what are slang names for valium[/url] [url=http://vicodin.iforums.us/#]can you liquefy vicodin[/url] <a href="http://clonazepam.iforums.us/#">clonazepam dosage for extreme anxiety</a> <a href="http://adipex.iforums.us/#">cheapest adipex online</a> [url=http://valium.iforums.us/#]valium for dogs[/url] http://redstate.com/users/oxycontin/# false positive for oxycontin <a href="http://phentermine.iforums.us/#">phentermine no prescription</a> <a href="http://phentermine.iforums.us/#">cheap phentermine free shipping</a> [url=http://hydrocodone.iforums.us/#]hydrocodone half life[/url] http://lortab.iforums.us/# does zoloft help with lortab withdrawal <a href="http://clonazepam.iforums.us/#">clonazepam fatal dose</a> [url=http://lortab.iforums.us/#]lortab elixir[/url] http://vicodin.iforums.us/# where can i buy vicodin online http://adderall.myeweb.net/# adderall and weight loss <a href="http://lortab.iforums.us/#">how long can lortab be detected</a> [url=http://valium.iforums.us/#]buy valium uk[/url] http://plone.org/author/fioricetonline# is fioricet a controlled substance <a href="http://adderall.iforums.us/#">adderall</a> http://phentermine.iforums.us/# phentermine very cheap [url=http://adderall.myeweb.net/#]side effects of adderall[/url] <a href="http://vicodin.iforums.us/#">signs of vicodin addiction</a> <a href="http://redstate.com/us ers/oxycontin/#">withdrawal effects of oxycontin</a> <a href="http://phentermine.iforums.us/#">negative side effects from phentermine</a> http://valium.iforums.us/# valium for sale http://clonazepam.iforums.us/# clonazepam and viagra interaction <a href="http://adipex.iforums.us/#">adipex generic</a> <a href="http://lortab.iforums.us/#">does zoloft help with lortab withdrawal</a> [url=http://adipex.iforums.us/#]success stories of adipex[/url] [url=http://adderall.myeweb.net/#]adderall meth[/url] [url=http://adipex.iforums.us/#]adipex[/url] http://clonazepam.iforums.us/# clonazepam buy mexico [url=http://xanax.iforums.us/#]xanax withdrawal drug[/url] [url=http://plone.org/author/fioricetonline#]fioricet info[/url] [url=http://xanax.iforums.us/#]buy xanax without a prescription or membership[/url] <a href="http://adderall.myeweb.net/#">adderall high crp</a> [url=http://valium.iforums.us/#]valium online[/url] <a href="http://adderall.myeweb.net/#">adderall side effects apraxia< /a> [url=http://plone.org/author/fioricetonline#]fioricet does it have asprin in it[/url] <a href="http://xanax.iforums.us/#">what does xanax look like</a> http://valium.iforums.us/# valium addiction http://plone.org/author/fioricetonline# discreet fioricet http://redstate.com/users/oxycontin/# allergy to oxycontin skin sensitivity http://redstate.com/users/oxycontin/# oxycontin addiction http://adipex.iforums.us/# how long does it take adipex to work [url=http://adderall.myeweb.net/#]adderall information[/url] <a href="http://plone.org/author/fioricetonline#">is it legal to buy fioricet online</a> http://clonazepam.iforums.us/# clonazepam addiction http://vicodin.iforums.us/# vicodin mexico [url=http://adderall.myeweb.net/#]drug adderall[/url] [url=http://plone.org/author/fioricetonline#]where can i buy fioricet online[/url] [url=http://adderall.myeweb.net/#]adderall half life[/url] http://lortab.iforums.us/# lortab elixir http://xanax.iforums.us/# xanax overdose [url=http: //hydrocodone.iforums.us/#]hydrocodone bitartrate and acetaminophen tablets usp ciii[/url] http://xanax.iforums.us/# how to get high on xanax [url=http://redstate.com/users/oxycontin/#]oxycontin lyrics[/url] [url=http://vicodin.iforums.us/#]will vicodin make you fail a drug test[/url] [url=http://phentermine.iforums.us/#]buy phentermine online[/url] <a href="http://valium.iforums.us/#">valium used</a> ' for field 'summary'.
It seems like our spammer friends have been targeting the QuickSearch form with this sort of content. This highlights that we should probably log this at DEBUG level as it only pollutes the logs with messages that are caused from invalid or incorrect user [or bot in this case] input.
Additionally, it seems to be that we are not doing any client or server side validation of the lenght of this string. According to a conversation I had with Chris M about this the max lenght of a jql query is 3000 characters and the sample string above is 4187 characters long.
We should have both client and server side validation of this. I guess this will have to be investigated to confirm all of this.
It seems like the both changes, specially the logging one should be a simple fix with low-risk, so I guess it could fit into the 4.2 timeframe, but let's see what the triage team say about this.
