Raise "Invalid request (HTTP 4xx)" not "Server error (5xx)" on invalid input
Some script kiddy has taken to running (what seem to be) "security tests" on my hyperkitty instance, with requests like the following:
https://lists.example.com/hyperkitty/?sort=creation%25%27%20UNION%20ALL%20SELECT%20NULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%23
Clearly, they're trying to do SQL injection. They're not having very much success AFAICT, however the server raises a 5XX server error and sends me a fairly inscrutable email. (lots of it, in fact) To avoid this, I'd like to suggest that instead a 4XX error code be raised to indicate that
- the request is bad, but
- the server doesn't need attention.
Edited by Andreas Klöckner