diff options
| author | Micael Karlberg <[email protected]> | 2011-09-15 09:43:48 +0200 |
|---|---|---|
| committer | Micael Karlberg <[email protected]> | 2011-09-15 09:43:48 +0200 |
| commit | 98fd9df4c4a04554fd2f707ca9ea2d674fad984d (patch) | |
| tree | 8861e1e85f352d828cf31f0690feaae63c0088bd /lib/inets/src/http_client/httpc.erl | |
| parent | 50261525973798faf7f62ea02356447b16e5fc56 (diff) | |
| download | otp-98fd9df4c4a04554fd2f707ca9ea2d674fad984d.tar.gz otp-98fd9df4c4a04554fd2f707ca9ea2d674fad984d.tar.bz2 otp-98fd9df4c4a04554fd2f707ca9ea2d674fad984d.zip | |
Updated http-server to make sure URLs in error-messages
are URL-encoded. Added support in http-client to use
URL-encoding. Also added the missing include directory
for the inets application.
OTP-8940
[httpd] Prevent XSS in error pages.
Prevent user controlled input from being interpreted
as HTML in error pages by encoding the reserved HTML
characters.
Michael Santos
OTP-9124
Diffstat (limited to 'lib/inets/src/http_client/httpc.erl')
| -rw-r--r-- | lib/inets/src/http_client/httpc.erl | 29 |
1 files changed, 22 insertions, 7 deletions
diff --git a/lib/inets/src/http_client/httpc.erl b/lib/inets/src/http_client/httpc.erl index 6deeab6948..ca186f46a7 100644 --- a/lib/inets/src/http_client/httpc.erl +++ b/lib/inets/src/http_client/httpc.erl @@ -1,7 +1,7 @@ %% %% %CopyrightBegin% %% -%% Copyright Ericsson AB 2009-2010. All Rights Reserved. +%% Copyright Ericsson AB 2009-2011. All Rights Reserved. %% %% The contents of this file are subject to the Erlang Public License, %% Version 1.1, (the "License"); you may not use this file except in @@ -434,18 +434,21 @@ handle_request(Method, Url, Stream = proplists:get_value(stream, Options), Host2 = header_host(Scheme, Host, Port), HeadersRecord = header_record(NewHeaders, Host2, HTTPOptions), - Receiver = proplists:get_value(receiver, Options), - SocketOpts = proplists:get_value(socket_opts, Options), + Receiver = proplists:get_value(receiver, Options), + SocketOpts = proplists:get_value(socket_opts, Options), + MaybeEscPath = maybe_url_encode(HTTPOptions, Path), + MaybeEscQuery = maybe_url_encode(HTTPOptions, Query), + AbsUri = maybe_url_encode(HTTPOptions, Url), Request = #request{from = Receiver, scheme = Scheme, address = {Host, Port}, - path = Path, - pquery = Query, + path = MaybeEscPath, + pquery = MaybeEscQuery, method = Method, headers = HeadersRecord, content = {ContentType, Body}, settings = HTTPOptions, - abs_uri = Url, + abs_uri = AbsUri, userinfo = UserInfo, stream = Stream, headers_as_is = headers_as_is(Headers, Options), @@ -465,6 +468,10 @@ handle_request(Method, Url, Error end. +maybe_url_encode(#http_options{url_encode = true}, URI) -> + http_uri:encode(URI); +maybe_url_encode(_, URI) -> + URI. handle_answer(RequestId, false, _) -> {ok, RequestId}; @@ -603,6 +610,13 @@ http_options_default() -> (_) -> error end, + + UrlDecodePost = fun(Value) when (Value =:= true) orelse + (Value =:= false) -> + {ok, Value}; + (_) -> + error + end, [ {version, {value, "HTTP/1.1"}, #http_options.version, VersionPost}, {timeout, {value, ?HTTP_REQUEST_TIMEOUT}, #http_options.timeout, TimeoutPost}, @@ -611,7 +625,8 @@ http_options_default() -> {proxy_auth, {value, undefined}, #http_options.proxy_auth, ProxyAuthPost}, {relaxed, {value, false}, #http_options.relaxed, RelaxedPost}, %% this field has to be *after* the timeout field (as that field is used for the default value) - {connect_timeout, {field, #http_options.timeout}, #http_options.connect_timeout, ConnTimeoutPost} + {connect_timeout, {field, #http_options.timeout}, #http_options.connect_timeout, ConnTimeoutPost}, + {url_encode, {value, false}, #http_options.url_encode, UrlDecodePost} ]. |