diff options
author | Micael Karlberg <[email protected]> | 2011-09-15 09:43:48 +0200 |
---|---|---|
committer | Micael Karlberg <[email protected]> | 2011-09-15 09:43:48 +0200 |
commit | 98fd9df4c4a04554fd2f707ca9ea2d674fad984d (patch) | |
tree | 8861e1e85f352d828cf31f0690feaae63c0088bd /lib/inets/src/http_client | |
parent | 50261525973798faf7f62ea02356447b16e5fc56 (diff) | |
download | otp-98fd9df4c4a04554fd2f707ca9ea2d674fad984d.tar.gz otp-98fd9df4c4a04554fd2f707ca9ea2d674fad984d.tar.bz2 otp-98fd9df4c4a04554fd2f707ca9ea2d674fad984d.zip |
Updated http-server to make sure URLs in error-messages
are URL-encoded. Added support in http-client to use
URL-encoding. Also added the missing include directory
for the inets application.
OTP-8940
[httpd] Prevent XSS in error pages.
Prevent user controlled input from being interpreted
as HTML in error pages by encoding the reserved HTML
characters.
Michael Santos
OTP-9124
Diffstat (limited to 'lib/inets/src/http_client')
-rw-r--r-- | lib/inets/src/http_client/Makefile | 5 | ||||
-rw-r--r-- | lib/inets/src/http_client/http_uri.erl | 116 | ||||
-rw-r--r-- | lib/inets/src/http_client/httpc.erl | 29 | ||||
-rw-r--r-- | lib/inets/src/http_client/httpc_handler.erl | 42 | ||||
-rw-r--r-- | lib/inets/src/http_client/httpc_internal.hrl | 8 |
5 files changed, 54 insertions, 146 deletions
diff --git a/lib/inets/src/http_client/Makefile b/lib/inets/src/http_client/Makefile index 628c91421f..184f45f589 100644 --- a/lib/inets/src/http_client/Makefile +++ b/lib/inets/src/http_client/Makefile @@ -1,7 +1,7 @@ # # %CopyrightBegin% # -# Copyright Ericsson AB 2005-2010. All Rights Reserved. +# Copyright Ericsson AB 2005-2011. All Rights Reserved. # # The contents of this file are subject to the Erlang Public License, # Version 1.1, (the "License"); you may not use this file except in @@ -50,8 +50,7 @@ MODULES = \ httpc_handler_sup \ httpc_profile_sup \ httpc_response \ - httpc_request \ - http_uri \ + httpc_request HRL_FILES = httpc_internal.hrl diff --git a/lib/inets/src/http_client/http_uri.erl b/lib/inets/src/http_client/http_uri.erl deleted file mode 100644 index 615a0d8ec4..0000000000 --- a/lib/inets/src/http_client/http_uri.erl +++ /dev/null @@ -1,116 +0,0 @@ -%% -%% %CopyrightBegin% -%% -%% Copyright Ericsson AB 2006-2009. All Rights Reserved. -%% -%% The contents of this file are subject to the Erlang Public License, -%% Version 1.1, (the "License"); you may not use this file except in -%% compliance with the License. You should have received a copy of the -%% Erlang Public License along with this software. If not, it can be -%% retrieved online at http://www.erlang.org/. -%% -%% Software distributed under the License is distributed on an "AS IS" -%% basis, WITHOUT WARRANTY OF ANY KIND, either express or implied. See -%% the License for the specific language governing rights and limitations -%% under the License. -%% -%% %CopyrightEnd% -%% -%% - --module(http_uri). - --export([parse/1]). - -%%%========================================================================= -%%% API -%%%========================================================================= -parse(AbsURI) -> - case parse_scheme(AbsURI) of - {error, Reason} -> - {error, Reason}; - {Scheme, Rest} -> - case (catch parse_uri_rest(Scheme, Rest)) of - {UserInfo, Host, Port, Path, Query} -> - {Scheme, UserInfo, Host, Port, Path, Query}; - _ -> - {error, {malformed_url, AbsURI}} - end - end. - -%%%======================================================================== -%%% Internal functions -%%%======================================================================== -parse_scheme(AbsURI) -> - case split_uri(AbsURI, ":", {error, no_scheme}, 1, 1) of - {error, no_scheme} -> - {error, no_scheme}; - {StrScheme, Rest} -> - case list_to_atom(http_util:to_lower(StrScheme)) of - Scheme when Scheme == http; Scheme == https -> - {Scheme, Rest}; - Scheme -> - {error, {not_supported_scheme, Scheme}} - end - end. - -parse_uri_rest(Scheme, "//" ++ URIPart) -> - - {Authority, PathQuery} = - case split_uri(URIPart, "/", URIPart, 1, 0) of - Split = {_, _} -> - Split; - URIPart -> - case split_uri(URIPart, "\\?", URIPart, 1, 0) of - Split = {_, _} -> - Split; - URIPart -> - {URIPart,""} - end - end, - - {UserInfo, HostPort} = split_uri(Authority, "@", {"", Authority}, 1, 1), - {Host, Port} = parse_host_port(Scheme, HostPort), - {Path, Query} = parse_path_query(PathQuery), - {UserInfo, Host, Port, Path, Query}. - - -parse_path_query(PathQuery) -> - {Path, Query} = split_uri(PathQuery, "\\?", {PathQuery, ""}, 1, 0), - {path(Path), Query}. - - -parse_host_port(Scheme,"[" ++ HostPort) -> %ipv6 - DefaultPort = default_port(Scheme), - {Host, ColonPort} = split_uri(HostPort, "\\]", {HostPort, ""}, 1, 1), - {_, Port} = split_uri(ColonPort, ":", {"", DefaultPort}, 0, 1), - {Host, int_port(Port)}; - -parse_host_port(Scheme, HostPort) -> - DefaultPort = default_port(Scheme), - {Host, Port} = split_uri(HostPort, ":", {HostPort, DefaultPort}, 1, 1), - {Host, int_port(Port)}. - -split_uri(UriPart, SplitChar, NoMatchResult, SkipLeft, SkipRight) -> - case inets_regexp:first_match(UriPart, SplitChar) of - {match, Match, _} -> - {string:substr(UriPart, 1, Match - SkipLeft), - string:substr(UriPart, Match + SkipRight, length(UriPart))}; - nomatch -> - NoMatchResult - end. - -default_port(http) -> - 80; -default_port(https) -> - 443. - -int_port(Port) when is_integer(Port) -> - Port; -int_port(Port) when is_list(Port) -> - list_to_integer(Port). - -path("") -> - "/"; -path(Path) -> - Path. diff --git a/lib/inets/src/http_client/httpc.erl b/lib/inets/src/http_client/httpc.erl index 6deeab6948..ca186f46a7 100644 --- a/lib/inets/src/http_client/httpc.erl +++ b/lib/inets/src/http_client/httpc.erl @@ -1,7 +1,7 @@ %% %% %CopyrightBegin% %% -%% Copyright Ericsson AB 2009-2010. All Rights Reserved. +%% Copyright Ericsson AB 2009-2011. All Rights Reserved. %% %% The contents of this file are subject to the Erlang Public License, %% Version 1.1, (the "License"); you may not use this file except in @@ -434,18 +434,21 @@ handle_request(Method, Url, Stream = proplists:get_value(stream, Options), Host2 = header_host(Scheme, Host, Port), HeadersRecord = header_record(NewHeaders, Host2, HTTPOptions), - Receiver = proplists:get_value(receiver, Options), - SocketOpts = proplists:get_value(socket_opts, Options), + Receiver = proplists:get_value(receiver, Options), + SocketOpts = proplists:get_value(socket_opts, Options), + MaybeEscPath = maybe_url_encode(HTTPOptions, Path), + MaybeEscQuery = maybe_url_encode(HTTPOptions, Query), + AbsUri = maybe_url_encode(HTTPOptions, Url), Request = #request{from = Receiver, scheme = Scheme, address = {Host, Port}, - path = Path, - pquery = Query, + path = MaybeEscPath, + pquery = MaybeEscQuery, method = Method, headers = HeadersRecord, content = {ContentType, Body}, settings = HTTPOptions, - abs_uri = Url, + abs_uri = AbsUri, userinfo = UserInfo, stream = Stream, headers_as_is = headers_as_is(Headers, Options), @@ -465,6 +468,10 @@ handle_request(Method, Url, Error end. +maybe_url_encode(#http_options{url_encode = true}, URI) -> + http_uri:encode(URI); +maybe_url_encode(_, URI) -> + URI. handle_answer(RequestId, false, _) -> {ok, RequestId}; @@ -603,6 +610,13 @@ http_options_default() -> (_) -> error end, + + UrlDecodePost = fun(Value) when (Value =:= true) orelse + (Value =:= false) -> + {ok, Value}; + (_) -> + error + end, [ {version, {value, "HTTP/1.1"}, #http_options.version, VersionPost}, {timeout, {value, ?HTTP_REQUEST_TIMEOUT}, #http_options.timeout, TimeoutPost}, @@ -611,7 +625,8 @@ http_options_default() -> {proxy_auth, {value, undefined}, #http_options.proxy_auth, ProxyAuthPost}, {relaxed, {value, false}, #http_options.relaxed, RelaxedPost}, %% this field has to be *after* the timeout field (as that field is used for the default value) - {connect_timeout, {field, #http_options.timeout}, #http_options.connect_timeout, ConnTimeoutPost} + {connect_timeout, {field, #http_options.timeout}, #http_options.connect_timeout, ConnTimeoutPost}, + {url_encode, {value, false}, #http_options.url_encode, UrlDecodePost} ]. diff --git a/lib/inets/src/http_client/httpc_handler.erl b/lib/inets/src/http_client/httpc_handler.erl index db5ff3036a..5e5a9ce32e 100644 --- a/lib/inets/src/http_client/httpc_handler.erl +++ b/lib/inets/src/http_client/httpc_handler.erl @@ -1,7 +1,7 @@ %% %% %CopyrightBegin% %% -%% Copyright Ericsson AB 2002-2010. All Rights Reserved. +%% Copyright Ericsson AB 2002-2011. All Rights Reserved. %% %% The contents of this file are subject to the Erlang Public License, %% Version 1.1, (the "License"); you may not use this file except in @@ -794,37 +794,43 @@ deliver_answers([Request|Requests]) -> %% Purpose: Convert process state when code is changed %%-------------------------------------------------------------------- code_change(_, #state{request = Request, pipeline = Queue} = State, - [{from, '5.0.1'}, {to, '5.0.2'}]) -> - Settings = new_http_options(Request#request.settings), + from_pre_5_3_5) -> + Settings = new_http_options(Request#request.settings), NewRequest = Request#request{settings = Settings}, - NewQueue = new_queue(Queue, fun new_http_options/1), + NewQueue = new_queue(Queue, fun new_http_options/1), {ok, State#state{request = NewRequest, pipeline = NewQueue}}; code_change(_, #state{request = Request, pipeline = Queue} = State, - [{from, '5.0.2'}, {to, '5.0.1'}]) -> - Settings = old_http_options(Request#request.settings), + to_pre_5_3_5) -> + Settings = old_http_options(Request#request.settings), NewRequest = Request#request{settings = Settings}, - NewQueue = new_queue(Queue, fun old_http_options/1), + NewQueue = new_queue(Queue, fun old_http_options/1), {ok, State#state{request = NewRequest, pipeline = NewQueue}}; code_change(_, State, _) -> {ok, State}. -new_http_options({http_options, TimeOut, AutoRedirect, SslOpts, - Auth, Relaxed}) -> - {http_options, "HTTP/1.1", TimeOut, AutoRedirect, SslOpts, - Auth, Relaxed}. - -old_http_options({http_options, _, TimeOut, AutoRedirect, - SslOpts, Auth, Relaxed}) -> - {http_options, TimeOut, AutoRedirect, SslOpts, Auth, Relaxed}. - -new_queue(Queue, Fun) -> +new_http_options({http_options, + Version, Timeout, AutoRedirect, SslOpts, + ProxyAuth, Relaxed, ConnTimeout}) -> + UrlEncoding = false, + {http_options, + Version, Timeout, AutoRedirect, SslOpts, + ProxyAuth, Relaxed, ConnTimeout, UrlEncoding}. + +old_http_options({http_options, + Version, TimeOut, AutoRedirect, SslOpts, + ProxyAuth, Relaxed, ConnTimeout, _UrlEncode}) -> + {http_options, + Version, TimeOut, AutoRedirect, SslOpts, + ProxyAuth, Relaxed, ConnTimeout}. + +new_queue(Queue, TransformSettings) -> List = queue:to_list(Queue), NewList = lists:map(fun(Request) -> Settings = - Fun(Request#request.settings), + TransformSettings(Request#request.settings), Request#request{settings = Settings} end, List), queue:from_list(NewList). diff --git a/lib/inets/src/http_client/httpc_internal.hrl b/lib/inets/src/http_client/httpc_internal.hrl index 4d76c4beb3..7513aa2838 100644 --- a/lib/inets/src/http_client/httpc_internal.hrl +++ b/lib/inets/src/http_client/httpc_internal.hrl @@ -1,7 +1,7 @@ %% %% %CopyrightBegin% %% -%% Copyright Ericsson AB 2005-2010. All Rights Reserved. +%% Copyright Ericsson AB 2005-2011. All Rights Reserved. %% %% The contents of this file are subject to the Erlang Public License, %% Version 1.1, (the "License"); you may not use this file except in @@ -56,7 +56,11 @@ relaxed = false, %% integer() - ms before a connect times out - connect_timeout = ?HTTP_REQUEST_CTIMEOUT + connect_timeout = ?HTTP_REQUEST_CTIMEOUT, + + %% bool() - Use %-encoding rfc 2396 + url_encode + } ). |