aboutsummaryrefslogtreecommitdiffstats
path: root/lib/inets/src/http_server/httpd_response.erl
diff options
context:
space:
mode:
authorMicael Karlberg <[email protected]>2011-11-09 18:22:49 +0100
committerMicael Karlberg <[email protected]>2011-11-09 18:22:49 +0100
commita7b67af7d2db9a442bd28952cca3fc61e5f0f227 (patch)
tree93c878e712e9309469e8f1c2de80548e21f1143b /lib/inets/src/http_server/httpd_response.erl
parentf561a98a9b89738467b52ab5213562de753f6ad2 (diff)
parent53b434e40047fc4e085f57412b4e2227faddf23b (diff)
downloadotp-a7b67af7d2db9a442bd28952cca3fc61e5f0f227.tar.gz
otp-a7b67af7d2db9a442bd28952cca3fc61e5f0f227.tar.bz2
otp-a7b67af7d2db9a442bd28952cca3fc61e5f0f227.zip
[httpd] XSS prevention did not work for hex-encoded URL's.
OTP-9655 Merge branch 'bmk/inets/httpd/xss_when_erl_encoded/r14/OTP-9655' into bmk/inets/inets572_integration
Diffstat (limited to 'lib/inets/src/http_server/httpd_response.erl')
-rw-r--r--lib/inets/src/http_server/httpd_response.erl16
1 files changed, 12 insertions, 4 deletions
diff --git a/lib/inets/src/http_server/httpd_response.erl b/lib/inets/src/http_server/httpd_response.erl
index ea9cfbf4f2..1301f27081 100644
--- a/lib/inets/src/http_server/httpd_response.erl
+++ b/lib/inets/src/http_server/httpd_response.erl
@@ -1,7 +1,7 @@
%%
%% %CopyrightBegin%
%%
-%% Copyright Ericsson AB 1997-2009. All Rights Reserved.
+%% Copyright Ericsson AB 1997-2011. All Rights Reserved.
%%
%% The contents of this file are subject to the Erlang Public License,
%% Version 1.1, (the "License"); you may not use this file except in
@@ -100,12 +100,19 @@ send_status(#mod{socket_type = SocketType,
socket = Socket,
config_db = ConfigDB} = ModData, StatusCode, PhraseArgs) ->
+ ?hdrd("send status", [{status_code, StatusCode},
+ {phrase_args, PhraseArgs}]),
+
ReasonPhrase = httpd_util:reason_phrase(StatusCode),
Message = httpd_util:message(StatusCode, PhraseArgs, ConfigDB),
Body = get_body(ReasonPhrase, Message),
- send_header(ModData, StatusCode, [{content_type, "text/html"},
- {content_length, integer_to_list(length(Body))}]),
+ ?hdrt("send status - header", [{reason_phrase, ReasonPhrase},
+ {message, Message}]),
+ send_header(ModData, StatusCode,
+ [{content_type, "text/html"},
+ {content_length, integer_to_list(length(Body))}]),
+
httpd_socket:deliver(SocketType, Socket, Body).
@@ -345,8 +352,9 @@ transform({Field, Value}) when is_list(Field) ->
%% Leave this method and go on to the newer form of response
%% OTP-4408
%%----------------------------------------------------------------------
-send_response_old(#mod{method = "HEAD"} = ModData,
+send_response_old(#mod{method = "HEAD"} = ModData,
StatusCode, Response) ->
+
NewResponse = lists:flatten(Response),
case httpd_util:split(NewResponse, [?CR, ?LF, ?CR, ?LF],2) of