diff options
| author | Erlang/OTP <[email protected]> | 2011-11-01 18:42:42 +0100 |
|---|---|---|
| committer | Erlang/OTP <[email protected]> | 2011-11-01 18:42:42 +0100 |
| commit | 65db6eb562b0376dd29fc60e9378d7b3b8ac386b (patch) | |
| tree | 26c5761f96eabdd7f4f1ec83e5edb7853b180db6 /lib/inets/src/http_server/httpd_util.erl | |
| parent | f8b20b4a995727f0339074d23a0fae50712683d2 (diff) | |
| parent | f8f0496c1b85169f6e72b6f875c521f09a471bbf (diff) | |
| download | otp-65db6eb562b0376dd29fc60e9378d7b3b8ac386b.tar.gz otp-65db6eb562b0376dd29fc60e9378d7b3b8ac386b.tar.bz2 otp-65db6eb562b0376dd29fc60e9378d7b3b8ac386b.zip | |
Merge branch 'bmk/inets/inets536_integration' into maint-r13
* bmk/inets/inets536_integration:
[httpd] GET request with malformed header date caused server crash (non-fatal) with no reply to client. Will now result in a reply with status code 400. OTP-9674
Added versions 5.2, 5.1.3 and 5.1.2 again. OTP-9655
Uncommented ipv6 test cases. OTP-9655
Fixed HTML encode. First *try* to hex decode uri, and then do the actual html encode. OTP-9655
Skip catching hex decode failure. OTP-9655
Fixed hex-decoding. OTP-9655
Problems with proxy test cases. OTP-9655
Added release notes, appup and correct version. OTP-9655
The XSS prevention methods used was confused if the URL was encoded (hex-encoded). OTP-9655
Diffstat (limited to 'lib/inets/src/http_server/httpd_util.erl')
| -rw-r--r-- | lib/inets/src/http_server/httpd_util.erl | 33 |
1 files changed, 21 insertions, 12 deletions
diff --git a/lib/inets/src/http_server/httpd_util.erl b/lib/inets/src/http_server/httpd_util.erl index 7fe5d6d152..15bfe9c621 100644 --- a/lib/inets/src/http_server/httpd_util.erl +++ b/lib/inets/src/http_server/httpd_util.erl @@ -180,10 +180,10 @@ message(301,URL,_) -> message(304, _URL,_) -> "The document has not been changed."; message(400, none, _) -> - "Your browser sent a query that this server could not understand."; + "Your browser sent a query that this server could not understand. "; message(400, Msg, _) -> "Your browser sent a query that this server could not understand. " ++ - http_util:html_encode(Msg); + html_encode(Msg); message(401, none, _) -> "This server could not verify that you are authorized to access the document you @@ -193,29 +193,29 @@ browser doesn't understand how to supply the credentials required."; message(403,RequestURI,_) -> "You don't have permission to access " ++ - http_util:html_encode(RequestURI) ++ + html_encode(RequestURI) ++ " on this server."; message(404,RequestURI,_) -> "The requested URL " ++ - http_util:html_encode(RequestURI) ++ + html_encode(RequestURI) ++ " was not found on this server."; message(408, Timeout, _) -> Timeout; message(412,none,_) -> "The requested preconditions where false"; message(413, Reason,_) -> - "Entity: " ++ http_util:html_encode(Reason); + "Entity: " ++ html_encode(Reason); message(414,ReasonPhrase,_) -> - "Message " ++ http_util:html_encode(ReasonPhrase) ++ "."; + "Message " ++ html_encode(ReasonPhrase) ++ "."; message(416,ReasonPhrase,_) -> - http_util:html_encode(ReasonPhrase); + html_encode(ReasonPhrase); message(500,_,ConfigDB) -> ServerAdmin = lookup(ConfigDB, server_admin, "unknown@unknown"), "The server encountered an internal error or " "misconfiguration and was unable to complete " "your request.<P>Please contact the server administrator " - ++ http_util:html_encode(ServerAdmin) ++ + ++ html_encode(ServerAdmin) ++ ", and inform them of the time the error occurred " "and anything you might have done that may have caused the error."; @@ -224,17 +224,17 @@ message(501,{Method, RequestURI, HTTPVersion}, _ConfigDB) -> is_atom(Method) -> atom_to_list(Method)++ " to " ++ - http_util:html_encode(RequestURI) ++ + html_encode(RequestURI) ++ " (" ++ HTTPVersion ++ ") not supported."; is_list(Method) -> Method++ " to " ++ - http_util:html_encode(RequestURI) ++ + html_encode(RequestURI) ++ " (" ++ HTTPVersion ++ ") not supported." end; message(503, String, _ConfigDB) -> - "This service in unavailable due to: " ++ http_util:html_encode(String). + "This service in unavailable due to: " ++ html_encode(String). maybe_encode(URI) -> case lists:member($%, URI) of @@ -244,6 +244,15 @@ maybe_encode(URI) -> http_uri:encode(URI) end. +html_encode(String) -> + try http_uri:decode(String) of + Decoded when is_list(Decoded) -> + http_util:html_encode(Decoded) + catch + _:_ -> + http_util:html_encode(String) + end. + %%convert_rfc_date(Date)->{{YYYY,MM,DD},{HH,MIN,SEC}} convert_request_date([D,A,Y,DateType| Rest])-> @@ -256,7 +265,7 @@ convert_request_date([D,A,Y,DateType| Rest])-> fun convert_rfc850_date/1 end, case catch Func([D,A,Y,DateType| Rest]) of - {ok,Date} -> + {ok, Date} -> Date; _Error-> bad_date |