rating.axd not filtering properly the user input

Jul 25, 2008 at 4:39 PM
Edited Jul 25, 2008 at 4:40 PM
Hi,
Hey, I'm not a programmer.
Been "playing" a little bit with blogengine 1.4.
If I create a get message for rating.axd like "GET /blog/2008/07/rating.axd?id="theid"&rating=<meta+http-equiv='Set-cookie'+content='cookiename=cookievalue'>" I get a HASRATED response.
If I create a get message for rating.axd like "GET /blog/2008/07/rating.axd?id="theid"&rating=email@me<ScRiPt%20%0a%0d>alert(1972563223)%3B</ScRiPt>mydomain.com" I get a HASRATED response.
I can throw other variations in, and get HASRATED.
Just thought to drop these here.
Thanks.
Jul 26, 2008 at 12:57 AM
Edited Jul 26, 2008 at 1:01 AM
How about something like this:
        public void ProcessRequest(HttpContext context)

        {

            string idS = context.Request.QueryString["id"];

            string ratingS = context.Request.QueryString["rating"];

int rating;

Guid id;




            try

            {

                if (String.IsNullOrEmpty(idS)) { throw new ArgumentNullException("id"); }

                if (String.IsNullOrEmpty(rating)) { throw new ArgumentNullException("rating"); }



                rating = Int32.Parse(ratingS);

id = new Guid(idS);



                if (rating < 1 || rating > 5)

                {

                    throw new ArgumentOutOfRangeException("rating", "value must be between 1 and 5");

                }

            }

            catch (Exception ex)

            {

                context.Response.Write("FAIL");

                context.Response.End();

            }



            bool hasRated = HasRated(id);

            if (hasRated)

            {

                context.Response.Write(rating + "HASRATED");

                context.Response.End();

            }



            Post post = Post.GetPost(id);

            post.Rate(rate);



            SetCookie(id.ToString(), context);

            context.Response.Write(rating + "OK");

            context.Response.End();

        }

Edit: Moved int rating declaration outside of try block :doh:
Jul 26, 2008 at 12:26 PM
Hi,
Excuse my ignorance, but what happens with the declaration of rate ?
And for rating, you just go from int to string ?
Thanks.
Jul 26, 2008 at 2:40 PM
Edited Jul 26, 2008 at 2:43 PM
@adrianf

The problem was, I wrapped my validation and conversions in a try block. I forgot to declare my "rating" variable outside of the block, which caused "rating" to be scoped to the try block. The problem with that is: you cannot use a variable outside of its scope, so "rating" would only be valid inside of that try block.

And, rating should only ever be an integer between 1 and 5. So, to be safe, we should convert the string to an integer, then check if that integer is between 1 and 5. It probably wouldn't have even been a problem, since we are not calling Eval() on the response. But it's better safe than sorry I guess.
Jul 26, 2008 at 3:29 PM
I think I'm starting to follow you now.
Thanks!
Aug 12, 2008 at 7:30 PM
Looks like Mads has fixed that in source code 1.4.5.3(the RatingHandler.cs was modified). Now I get a FAIL response.