Developer forum

Forum » CMS - Standard features » (If) When was SQL Injection Regex timeouts fixed in 8.9?

(If) When was SQL Injection Regex timeouts fixed in 8.9?

Kevin Steffer
Kevin Steffer
Reply

I have a solution on 8.9.1.7 that expereiences problems when bots do a POST with a larger chunk of chyrilic or arabic characters I'm pretty sure that has been fixed in DW 9, but has there been an update on that for 8.9?

Thanks in advance
Kevin


Replies

 
Nicolai Pedersen Dynamicweb Employee
Nicolai Pedersen
Reply
This post has been marked as an answer

That is on October 30th 2018, TFS#56948, released in 8.9.2.23

Votes for this answer: 1
 
Sigurður Hergeirsson
Reply

I have similar problem, 

I am posting HTML table data to form with app "Forms (For Data Lists)", to send as  email. 
W
hen the size of the data gets larger than usual,  (dependent of chosen time period),  I get "No data" respone after about 3 seconds and no email is sent.
And Security logging
 is added to  Event Log with Description   "SQL Injection detected: (REGEX Timeout on Form Hreyfingarlisti_Content);"
 expression: (?:(?:"|'|<|>)+[\s\S]*(?:\W|\b)+on\w*\s*\=.*|(?:\%3C|<)(?:[^>])+javascript) key: Hreyfingarlisti_Content;
 value: 
                <table class="table table-hover" cellspacing="10" cellpadding="10">
                    <thead>
                        <tr>
                            <th>Dagsetning</th>
                           ....                            
                        </tr>
                    </thead>
                    <tbody class="tablebody"><tr>
...all the rows in the table...
                </table>

I have ruled out the data content triggering this sql injection detection,
as if I POST the exact the same data but in two smaller chunks (two shorter periods) the POST goes fine and email is sent.

Could I be missing come config that controls max data length POST-able to forms. ?

 

 
Sigurður Hergeirsson
Reply

forgot to mention my DW version: 9.10.7

:)

 
Nicolai Pedersen Dynamicweb Employee
Nicolai Pedersen
Reply
This post has been marked as an answer

Hi

Change the SQL injection setting to ignore that field. The field has a name and that name can be added to ignore list and will not be checked.

BR Nicolai

Votes for this answer: 1

 

You must be logged in to post in the forum