diff options
| author | Micael Karlberg <[email protected]> | 2011-11-01 18:14:58 +0100 |
|---|---|---|
| committer | Micael Karlberg <[email protected]> | 2011-11-01 18:14:58 +0100 |
| commit | 2da7b99f186e7a8f9a74b1c7aa60b1354cbc31ea (patch) | |
| tree | e47f27ddf5c4a2846bbe578e18d9f41b9de10c15 /lib/inets/src/http_server/httpd_response.erl | |
| parent | f8b20b4a995727f0339074d23a0fae50712683d2 (diff) | |
| parent | b6719f7943cbaeb10d5121f360f9540db494b639 (diff) | |
| download | otp-2da7b99f186e7a8f9a74b1c7aa60b1354cbc31ea.tar.gz otp-2da7b99f186e7a8f9a74b1c7aa60b1354cbc31ea.tar.bz2 otp-2da7b99f186e7a8f9a74b1c7aa60b1354cbc31ea.zip | |
[httpd] XSS prevention did not work for hex-encoded URL's.
OTP-9655
Merge branch 'bmk/inets/httpd/xss_when_erl_encoded/r13/OTP-9655' into bmk/inets/inets536_integration
Diffstat (limited to 'lib/inets/src/http_server/httpd_response.erl')
| -rw-r--r-- | lib/inets/src/http_server/httpd_response.erl | 16 |
1 files changed, 12 insertions, 4 deletions
diff --git a/lib/inets/src/http_server/httpd_response.erl b/lib/inets/src/http_server/httpd_response.erl index ea9cfbf4f2..1301f27081 100644 --- a/lib/inets/src/http_server/httpd_response.erl +++ b/lib/inets/src/http_server/httpd_response.erl @@ -1,7 +1,7 @@ %% %% %CopyrightBegin% %% -%% Copyright Ericsson AB 1997-2009. All Rights Reserved. +%% Copyright Ericsson AB 1997-2011. All Rights Reserved. %% %% The contents of this file are subject to the Erlang Public License, %% Version 1.1, (the "License"); you may not use this file except in @@ -100,12 +100,19 @@ send_status(#mod{socket_type = SocketType, socket = Socket, config_db = ConfigDB} = ModData, StatusCode, PhraseArgs) -> + ?hdrd("send status", [{status_code, StatusCode}, + {phrase_args, PhraseArgs}]), + ReasonPhrase = httpd_util:reason_phrase(StatusCode), Message = httpd_util:message(StatusCode, PhraseArgs, ConfigDB), Body = get_body(ReasonPhrase, Message), - send_header(ModData, StatusCode, [{content_type, "text/html"}, - {content_length, integer_to_list(length(Body))}]), + ?hdrt("send status - header", [{reason_phrase, ReasonPhrase}, + {message, Message}]), + send_header(ModData, StatusCode, + [{content_type, "text/html"}, + {content_length, integer_to_list(length(Body))}]), + httpd_socket:deliver(SocketType, Socket, Body). @@ -345,8 +352,9 @@ transform({Field, Value}) when is_list(Field) -> %% Leave this method and go on to the newer form of response %% OTP-4408 %%---------------------------------------------------------------------- -send_response_old(#mod{method = "HEAD"} = ModData, +send_response_old(#mod{method = "HEAD"} = ModData, StatusCode, Response) -> + NewResponse = lists:flatten(Response), case httpd_util:split(NewResponse, [?CR, ?LF, ?CR, ?LF],2) of |