Updated http-server to make sure URLs in error-messages

are URL-encoded. Added support in http-client to use
URL-encoding. Also added the missing include directory
for the inets application.

OTP-8940

[httpd] Prevent XSS in error pages.
Prevent user controlled input from being interpreted
as HTML in error pages by encoding the reserved HTML
characters.
Michael Santos

OTP-9124

5 files changed, 54 insertions, 146 deletions

diff --git a/lib/inets/src/http_client/Makefile b/lib/inets/src/http_client/Makefile
index 628c91421f..184f45f589 100644
--- a/lib/inets/src/http_client/Makefile
+++ b/lib/inets/src/http_client/Makefile
@@ -1,7 +1,7 @@
 #
 # %CopyrightBegin%
 #
-# Copyright Ericsson AB 2005-2010. All Rights Reserved.
+# Copyright Ericsson AB 2005-2011. All Rights Reserved.
 #
 # The contents of this file are subject to the Erlang Public License,
 # Version 1.1, (the "License"); you may not use this file except in
@@ -50,8 +50,7 @@ MODULES = \
 	httpc_handler_sup \
 	httpc_profile_sup \
 	httpc_response \
-	httpc_request \
-	http_uri \
+	httpc_request
 
 HRL_FILES = httpc_internal.hrl
 
diff --git a/lib/inets/src/http_client/http_uri.erl b/lib/inets/src/http_client/http_uri.erl
deleted file mode 100644
index 615a0d8ec4..0000000000
--- a/lib/inets/src/http_client/http_uri.erl
+++ /dev/null
@@ -1,116 +0,0 @@
-%%
-%% %CopyrightBegin%
-%% 
-%% Copyright Ericsson AB 2006-2009. All Rights Reserved.
-%% 
-%% The contents of this file are subject to the Erlang Public License,
-%% Version 1.1, (the "License"); you may not use this file except in
-%% compliance with the License. You should have received a copy of the
-%% Erlang Public License along with this software. If not, it can be
-%% retrieved online at http://www.erlang.org/.
-%% 
-%% Software distributed under the License is distributed on an "AS IS"
-%% basis, WITHOUT WARRANTY OF ANY KIND, either express or implied. See
-%% the License for the specific language governing rights and limitations
-%% under the License.
-%% 
-%% %CopyrightEnd%
-%%
-%%
-
--module(http_uri).
-
--export([parse/1]).
-
-%%%=========================================================================
-%%%  API
-%%%=========================================================================
-parse(AbsURI) ->
-    case parse_scheme(AbsURI) of
-	{error, Reason} ->
-	    {error, Reason};
-	{Scheme, Rest} ->
-	    case (catch parse_uri_rest(Scheme, Rest)) of
-		{UserInfo, Host, Port, Path, Query} ->
-		    {Scheme, UserInfo, Host, Port, Path, Query};
-		_  ->
-		    {error, {malformed_url, AbsURI}}    
-	    end
-    end.
-
-%%%========================================================================
-%%% Internal functions
-%%%========================================================================
-parse_scheme(AbsURI) ->
-    case split_uri(AbsURI, ":", {error, no_scheme}, 1, 1) of
-	{error, no_scheme} ->
-	    {error, no_scheme};
-	{StrScheme, Rest} ->
-	    case list_to_atom(http_util:to_lower(StrScheme)) of
-		Scheme when Scheme == http; Scheme == https ->
-		    {Scheme, Rest};
-		Scheme ->
-		    {error, {not_supported_scheme, Scheme}}
-	    end
-    end.
-
-parse_uri_rest(Scheme, "//" ++ URIPart) ->
-
-    {Authority, PathQuery} = 
-	case split_uri(URIPart, "/", URIPart, 1, 0) of
-	    Split = {_, _} ->
-		Split;
-	    URIPart ->
-		case split_uri(URIPart, "\\?", URIPart, 1, 0) of
-		    Split = {_, _} ->
-			Split;
-		    URIPart ->
-			{URIPart,""}
-		end
-	end,
-    
-    {UserInfo, HostPort} = split_uri(Authority, "@", {"", Authority}, 1, 1),
-    {Host, Port} = parse_host_port(Scheme, HostPort),
-    {Path, Query} = parse_path_query(PathQuery),
-    {UserInfo, Host, Port, Path, Query}.
-
-
-parse_path_query(PathQuery) ->
-    {Path, Query} =  split_uri(PathQuery, "\\?", {PathQuery, ""}, 1, 0),
-    {path(Path), Query}.
-    
-
-parse_host_port(Scheme,"[" ++ HostPort) -> %ipv6
-    DefaultPort = default_port(Scheme),
-    {Host, ColonPort} = split_uri(HostPort, "\\]", {HostPort, ""}, 1, 1),
-    {_, Port} = split_uri(ColonPort, ":", {"", DefaultPort}, 0, 1),
-    {Host, int_port(Port)};
-
-parse_host_port(Scheme, HostPort) ->
-    DefaultPort = default_port(Scheme),
-    {Host, Port} = split_uri(HostPort, ":", {HostPort, DefaultPort}, 1, 1),
-    {Host, int_port(Port)}.
-    
-split_uri(UriPart, SplitChar, NoMatchResult, SkipLeft, SkipRight) ->
-    case inets_regexp:first_match(UriPart, SplitChar) of
-	{match, Match, _} ->
-	    {string:substr(UriPart, 1, Match - SkipLeft),
-	     string:substr(UriPart, Match + SkipRight, length(UriPart))}; 
-	nomatch ->
-	    NoMatchResult
-    end.
-
-default_port(http) ->
-    80;
-default_port(https) ->
-    443.
-
-int_port(Port) when is_integer(Port) ->
-    Port;
-int_port(Port) when is_list(Port) ->
-    list_to_integer(Port).
-
-path("") ->
-    "/";
-path(Path) ->
-    Path.
diff --git a/lib/inets/src/http_client/httpc.erl b/lib/inets/src/http_client/httpc.erl
index 6deeab6948..ca186f46a7 100644
--- a/lib/inets/src/http_client/httpc.erl
+++ b/lib/inets/src/http_client/httpc.erl
@@ -1,7 +1,7 @@
 %%
 %% %CopyrightBegin%
 %%
-%% Copyright Ericsson AB 2009-2010. All Rights Reserved.
+%% Copyright Ericsson AB 2009-2011. All Rights Reserved.
 %%
 %% The contents of this file are subject to the Erlang Public License,
 %% Version 1.1, (the "License"); you may not use this file except in
@@ -434,18 +434,21 @@ handle_request(Method, Url,
 	    Stream        = proplists:get_value(stream, Options),
 	    Host2         = header_host(Scheme, Host, Port), 
 	    HeadersRecord = header_record(NewHeaders, Host2, HTTPOptions),
-	    Receiver   = proplists:get_value(receiver, Options),
-	    SocketOpts = proplists:get_value(socket_opts, Options),
+	    Receiver      = proplists:get_value(receiver, Options),
+	    SocketOpts    = proplists:get_value(socket_opts, Options),
+	    MaybeEscPath  = maybe_url_encode(HTTPOptions, Path), 
+	    MaybeEscQuery = maybe_url_encode(HTTPOptions, Query), 
+	    AbsUri        = maybe_url_encode(HTTPOptions, Url), 
 	    Request = #request{from          = Receiver,
 			       scheme        = Scheme, 
 			       address       = {Host, Port},
-			       path          = Path, 
-			       pquery        = Query, 
+			       path          = MaybeEscPath, 
+			       pquery        = MaybeEscQuery, 
 			       method        = Method,
 			       headers       = HeadersRecord, 
 			       content       = {ContentType, Body},
 			       settings      = HTTPOptions, 
-			       abs_uri       = Url, 
+			       abs_uri       = AbsUri, 
 			       userinfo      = UserInfo, 
 			       stream        = Stream, 
 			       headers_as_is = headers_as_is(Headers, Options),
@@ -465,6 +468,10 @@ handle_request(Method, Url,
 	    Error
     end.
 
+maybe_url_encode(#http_options{url_encode = true}, URI) ->
+    http_uri:encode(URI);
+maybe_url_encode(_, URI) ->
+    URI.
 
 handle_answer(RequestId, false, _) ->
     {ok, RequestId};
@@ -603,6 +610,13 @@ http_options_default() ->
 	   (_) ->
 		error
 	end,
+    
+    UrlDecodePost = fun(Value) when (Value =:= true) orelse 
+				    (Value =:= false) ->
+			    {ok, Value};
+		       (_) ->
+			    error
+		    end,
     [
      {version,         {value, "HTTP/1.1"},              #http_options.version,         VersionPost}, 
      {timeout,         {value, ?HTTP_REQUEST_TIMEOUT},   #http_options.timeout,         TimeoutPost},
@@ -611,7 +625,8 @@ http_options_default() ->
      {proxy_auth,      {value, undefined},               #http_options.proxy_auth,      ProxyAuthPost},
      {relaxed,         {value, false},                   #http_options.relaxed,         RelaxedPost},
      %% this field has to be *after* the timeout field (as that field is used for the default value)
-     {connect_timeout, {field,   #http_options.timeout}, #http_options.connect_timeout, ConnTimeoutPost}
+     {connect_timeout, {field,   #http_options.timeout}, #http_options.connect_timeout, ConnTimeoutPost}, 
+     {url_encode,      {value, false},                   #http_options.url_encode, UrlDecodePost}
     ].
 
 
diff --git a/lib/inets/src/http_client/httpc_handler.erl b/lib/inets/src/http_client/httpc_handler.erl
index db5ff3036a..5e5a9ce32e 100644
--- a/lib/inets/src/http_client/httpc_handler.erl
+++ b/lib/inets/src/http_client/httpc_handler.erl
@@ -1,7 +1,7 @@
 %%
 %% %CopyrightBegin%
 %% 
-%% Copyright Ericsson AB 2002-2010. All Rights Reserved.
+%% Copyright Ericsson AB 2002-2011. All Rights Reserved.
 %% 
 %% The contents of this file are subject to the Erlang Public License,
 %% Version 1.1, (the "License"); you may not use this file except in
@@ -794,37 +794,43 @@ deliver_answers([Request|Requests]) ->
 %% Purpose: Convert process state when code is changed
 %%--------------------------------------------------------------------
 code_change(_, #state{request = Request, pipeline = Queue} = State, 
-	    [{from, '5.0.1'}, {to, '5.0.2'}]) ->
-    Settings = new_http_options(Request#request.settings),
+	    from_pre_5_3_5) ->
+    Settings   = new_http_options(Request#request.settings),
     NewRequest = Request#request{settings = Settings},
-    NewQueue = new_queue(Queue, fun new_http_options/1),
+    NewQueue   = new_queue(Queue, fun new_http_options/1),
     {ok, State#state{request = NewRequest, pipeline = NewQueue}};
 
 code_change(_, #state{request = Request, pipeline = Queue} = State, 
-	    [{from, '5.0.2'}, {to, '5.0.1'}]) ->
-    Settings = old_http_options(Request#request.settings),
+	    to_pre_5_3_5) ->
+    Settings   = old_http_options(Request#request.settings),
     NewRequest = Request#request{settings = Settings},
-    NewQueue = new_queue(Queue, fun old_http_options/1),
+    NewQueue   = new_queue(Queue, fun old_http_options/1),
     {ok, State#state{request = NewRequest, pipeline = NewQueue}};
 
 code_change(_, State, _) ->
     {ok, State}.
 
-new_http_options({http_options, TimeOut, AutoRedirect, SslOpts,
-		  Auth, Relaxed}) ->
-    {http_options, "HTTP/1.1", TimeOut, AutoRedirect, SslOpts,
-     Auth, Relaxed}.
-
-old_http_options({http_options, _, TimeOut, AutoRedirect,
-		  SslOpts, Auth, Relaxed}) ->
-    {http_options, TimeOut, AutoRedirect, SslOpts, Auth, Relaxed}.
-
-new_queue(Queue, Fun) ->
+new_http_options({http_options, 
+		  Version, Timeout, AutoRedirect, SslOpts, 
+		  ProxyAuth, Relaxed, ConnTimeout}) ->
+    UrlEncoding = false, 
+    {http_options, 
+     Version, Timeout, AutoRedirect, SslOpts, 
+     ProxyAuth, Relaxed, ConnTimeout, UrlEncoding}.
+
+old_http_options({http_options, 
+		  Version, TimeOut, AutoRedirect, SslOpts, 
+		  ProxyAuth, Relaxed, ConnTimeout, _UrlEncode}) ->
+    {http_options, 
+     Version, TimeOut, AutoRedirect, SslOpts, 
+     ProxyAuth, Relaxed, ConnTimeout}.
+
+new_queue(Queue, TransformSettings) ->
     List = queue:to_list(Queue),
     NewList = 
 	lists:map(fun(Request) ->
 			  Settings = 
-			      Fun(Request#request.settings),
+			      TransformSettings(Request#request.settings),
 			  Request#request{settings = Settings}
 		  end, List),
     queue:from_list(NewList).
diff --git a/lib/inets/src/http_client/httpc_internal.hrl b/lib/inets/src/http_client/httpc_internal.hrl
index 4d76c4beb3..7513aa2838 100644
--- a/lib/inets/src/http_client/httpc_internal.hrl
+++ b/lib/inets/src/http_client/httpc_internal.hrl
@@ -1,7 +1,7 @@
 %%
 %% %CopyrightBegin%
 %%
-%% Copyright Ericsson AB 2005-2010. All Rights Reserved.
+%% Copyright Ericsson AB 2005-2011. All Rights Reserved.
 %%
 %% The contents of this file are subject to the Erlang Public License,
 %% Version 1.1, (the "License"); you may not use this file except in
@@ -56,7 +56,11 @@
 	  relaxed = false, 
 
 	  %% integer() - ms before a connect times out
-	  connect_timeout = ?HTTP_REQUEST_CTIMEOUT  
+	  connect_timeout = ?HTTP_REQUEST_CTIMEOUT,
+	  
+	  %% bool() - Use %-encoding rfc 2396
+	  url_encode
+
 	 }
        ).