[httpd] XSS prevention did not work for hex-encoded URL's.

OTP-9655

Merge branch 'bmk/inets/httpd/xss_when_erl_encoded/r13/OTP-9655' into bmk/inets/inets536_integration

1 files changed, 12 insertions, 6 deletions

diff --git a/lib/inets/src/http_lib/http_uri.erl b/lib/inets/src/http_lib/http_uri.erl
index 3804af60f4..d03acff3a9 100644
--- a/lib/inets/src/http_lib/http_uri.erl
+++ b/lib/inets/src/http_lib/http_uri.erl
@@ -21,7 +21,8 @@
 -module(http_uri).
 
 -export([parse/1]).
--export([parse/1, encode/1, decode/1]).
+-export([encode/1, decode/1]).
+
 
 %%%=========================================================================
 %%%  API
@@ -45,16 +46,21 @@ encode(URI) ->
 			       $\\, $', $^, $%, $ ]),
     lists:append(lists:map(fun(Char) -> uri_encode(Char, Reserved) end, URI)).
 
-decode([$%,Hex1,Hex2|Rest]) ->
-    [hex2dec(Hex1)*16+hex2dec(Hex2)|decode(Rest)];
-decode([First|Rest]) ->
-    [First|decode(Rest)];
-decode([]) ->
+decode(String) ->
+    do_decode(String).
+
+do_decode([$%,Hex1,Hex2|Rest]) ->
+    [hex2dec(Hex1)*16+hex2dec(Hex2)|do_decode(Rest)];
+do_decode([First|Rest]) ->
+    [First|do_decode(Rest)];
+do_decode([]) ->
     [].
 
+
 %%%========================================================================
 %%% Internal functions
 %%%========================================================================
+
 parse_scheme(AbsURI) ->
     case split_uri(AbsURI, ":", {error, no_scheme}, 1, 1) of
 	{error, no_scheme} ->