You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Consider adding the Rack::Utils::InvalidParameterError exception to the built-in list of normally ignored exceptions.
That exception is raised whenever any of the request parameters has an invalid string encoding; such as an invalid UTF-8 byte sequence.
Although invalid strings won't normally be sent by web browsers, it can happen with malware or hacking attacks as a often-used attack vector; so when it does happen these errors can occur rapidly and in large numbers. Bad UTF-8 should probably just result in an HTTP 400 Bad Request response, and little else.
By the way, this UTF-8 checking and exception happens very early in the Rack stack in ActionDispatch::Request.check_param_encoding and can not normally be caught or handled by the Rails application itself, say by a rescue_from.
Steps to reproduce
Use curl, wget, or similar tool other than a web browser, and add an invalid UTF-8 sequence to the end of any application URL; like https://....../example?badstring=%E2%28%A1
The text was updated successfully, but these errors were encountered:
See also similar issue #506
Consider adding the
Rack::Utils::InvalidParameterErrorexception to the built-in list of normally ignored exceptions.That exception is raised whenever any of the request parameters has an invalid string encoding; such as an invalid UTF-8 byte sequence.
Although invalid strings won't normally be sent by web browsers, it can happen with malware or hacking attacks as a often-used attack vector; so when it does happen these errors can occur rapidly and in large numbers. Bad UTF-8 should probably just result in an HTTP 400 Bad Request response, and little else.
By the way, this UTF-8 checking and exception happens very early in the Rack stack in
ActionDispatch::Request.check_param_encodingand can not normally be caught or handled by the Rails application itself, say by arescue_from.Steps to reproduce
Use curl, wget, or similar tool other than a web browser, and add an invalid UTF-8 sequence to the end of any application URL; like
https://....../example?badstring=%E2%28%A1The text was updated successfully, but these errors were encountered: