diff options
| author | Micael Karlberg <[email protected]> | 2011-11-01 18:14:58 +0100 |
|---|---|---|
| committer | Micael Karlberg <[email protected]> | 2011-11-01 18:14:58 +0100 |
| commit | 2da7b99f186e7a8f9a74b1c7aa60b1354cbc31ea (patch) | |
| tree | e47f27ddf5c4a2846bbe578e18d9f41b9de10c15 /lib/inets/src/http_server/httpd_request.erl | |
| parent | f8b20b4a995727f0339074d23a0fae50712683d2 (diff) | |
| parent | b6719f7943cbaeb10d5121f360f9540db494b639 (diff) | |
| download | otp-2da7b99f186e7a8f9a74b1c7aa60b1354cbc31ea.tar.gz otp-2da7b99f186e7a8f9a74b1c7aa60b1354cbc31ea.tar.bz2 otp-2da7b99f186e7a8f9a74b1c7aa60b1354cbc31ea.zip | |
[httpd] XSS prevention did not work for hex-encoded URL's.
OTP-9655
Merge branch 'bmk/inets/httpd/xss_when_erl_encoded/r13/OTP-9655' into bmk/inets/inets536_integration
Diffstat (limited to 'lib/inets/src/http_server/httpd_request.erl')
| -rw-r--r-- | lib/inets/src/http_server/httpd_request.erl | 8 |
1 files changed, 4 insertions, 4 deletions
diff --git a/lib/inets/src/http_server/httpd_request.erl b/lib/inets/src/http_server/httpd_request.erl index 75f03c4fc2..1c23316ecb 100644 --- a/lib/inets/src/http_server/httpd_request.erl +++ b/lib/inets/src/http_server/httpd_request.erl @@ -261,12 +261,12 @@ validate_uri(RequestURI) -> (catch http_uri:decode(string:left(RequestURI, Ndx))) end, case UriNoQueryNoHex of - {'EXIT',_Reason} -> + {'EXIT', _Reason} -> {error, {bad_request, {malformed_syntax, RequestURI}}}; _ -> - Path = format_request_uri(UriNoQueryNoHex), - Path2=[X||X<-string:tokens(Path, "/"),X=/="."], %% OTP-5938 - validate_path( Path2,0, RequestURI) + Path = format_request_uri(UriNoQueryNoHex), + Path2 = [X||X<-string:tokens(Path, "/"),X=/="."], %% OTP-5938 + validate_path(Path2, 0, RequestURI) end. validate_path([], _, _) -> |