i have symfony2 web site has dozen of forms fields visitor can pick city. forms list of available cities via form options city_src.
about week ago, went online , curious if went smoothly tail-ed prod.log find annomalies. turns out had 2 critical erros:
"the required option "city_src" missing." @ /var/www/hb/vendor/symfony/symfony/src/symfony/component/optionsresolver/optionsresolver.php line 764 {"exception":"[object] (symfony\component\optionsresolver\exception\missingoptionsexception(code: 0): required option \"city_src\" missing. @ /var/www/hb/vendor/symfony/symfony/src/symfony/component/optionsresolver/optionsresolver.php:764)"} []
i have started looking on forms use city_src option , far looks pretty good.
few notes:
- my window experimenting kinda limited because live site.
- the problem quite self-explanatory, don't know originates
the question, there way increase verbosity of message (for future occurrences)? maybe somehow include full stack trace?
the problem might not "real". have submission missing city_src if forms fine, there other ways in can happen:
- the form filled via javascript , customer had disabled. form submitted without fields.
- the connection hiccuped , packet did not through completely. know, know, tcp ought prevent this. normally does. remember seeing couple of questions somehow (thanks proxies, browser extensions , undoubtedly gremlins too) did not.
- the form submitted via (maybe through ajax), has a size limitation. unlikely, yet possible.
- the likely: there jillions of bots out there try , force form happen upon, see whether interesting drops out - xss opening, spam, possibility of sending spam, possibly symptom of sql injection vulnerability. whatever. result form endopoints wont gather forms of rubbish, , logs too.
detail of attack scenario:
joe q. bot arrives on given page containing form. form complete , has fields, of course. , in normal course of events, fields submitted server. browser this.
but bot not browser; using whatever logic creator employed, may try , submit form as is, or can try , fiddle in order obtain information or cause errors.
for example, it's not unheard of incomplete form used build insert database throw error , leak information said database (e.g. address of database server, be, say, on amazon elastic , insufficiently guarded - who's going guess our ip?).
then again, since bot on crappy side of software engineering, might fail cope more "enough" fields, first half of long form submitted. or may fail parse form due number of reasons.
the result field should there not there, , code chokes when analyzing request.
a simple workaround is, you're sure there's no normal , honest way of getting broken form, wrap whole procedure in try/catch block , send exception privately inbox.
===
in specific case i'd try , check web server log in order see calls made (e.g. get /site/customers/app/whatever) before error popped up. can try , replay calls , see whether error pops again. you'll have clearer idea route call has taken.
you might want supply incomplete forms see whether elicit same error, , can done route response meaningful ("there has been submission error, please retry" or blocking incoming bot sending ip address to, say, iptables script or firewall utility webservice on dmz side)
Comments
Post a Comment