Problematic malformed query strings

(I posted this on phoenix-talk but it looks like activity has moved to here so I am reposting this)

Hello all,

This is an issue affecting a Phoenix app in production, and I have tested it on the latest Elixir\Phoenix release (a simple mix phoenix.new app) and I run into the same problem. When I pass in a query string like http://localhost:4000?q=%{, I can cause a crash so early in the Endpoint that Phoenix does not even render an error template. Instead, I get a blank page and the Chrome console will report to me this error message: “Failed to load resource: the server responded with a status of 500 (Internal Server Error)

I believe the error happens in Plug.Parsers, particularly Plug.Conn.fetch_query_params at URI.decode_www_form. If you run URI.decode_www_form(“q=%{”) in the shell, you will see the error that is happening.

Is there an accepted solution or patch to this problem? I tried using this query string on some sites that I believe are Phoenix apps (like phoenixframework.org) and I did not experience such a crash, which leads me to believe there is a solution out there. But I have not been able to find it. I mean, you can just write a plug to use URI.encode on the query string to escape it into a proper URI, but I wanted to see if there was an accepted solution before I applied a custom solution.

2 Likes

Can you please report this is a bug in Phoenix issues tracker? Thank you.

2 Likes

Actually, no need to report. I have fixed this in both Phoenix and Plug:

Good catch!

5 Likes