Merge branch 'bmk/inets/httpd/prevent_xss_in_error_pages/OTP-9124' into bmk/inets/inet56_integration

Conflicts: lib/inets/doc/src/notes.xml lib/inets/src/inets_app/inets.appup.src
author: Micael Karlberg <[email protected]> 2011-03-18 18:37:39 +0100
committer: Micael Karlberg <[email protected]> 2011-03-18 18:37:39 +0100
commit: f39147b4c35dd06f48eba0a446dd6881aa46c917 (patch)
tree: 62e15d94df972eb25b2603c97940a7f0cf3c5230 /lib/inets/src
parent: f4b5ea566829cad609e14c2264158665b84800c1 (diff)
parent: ffb2d69e00ef283eeb266f3082067429b6ce1127 (diff)
download: otp-f39147b4c35dd06f48eba0a446dd6881aa46c917.tar.gz
otp-f39147b4c35dd06f48eba0a446dd6881aa46c917.tar.bz2
otp-f39147b4c35dd06f48eba0a446dd6881aa46c917.zip
3 files changed, 44 insertions, 20 deletions
diff --git a/lib/inets/src/http_lib/http_util.erl b/lib/inets/src/http_lib/http_util.erl
index 4f1147176c..5e6b69ac5e 100644
--- a/lib/inets/src/http_lib/http_util.erl
+++ b/lib/inets/src/http_lib/http_util.erl
@@ -25,7 +25,8 @@
 	 hexlist_to_integer/1, integer_to_hexlist/1, 
 	 convert_month/1, 
 	 is_hostname/1,
-	 timestamp/0, timeout/2
+	 timestamp/0, timeout/2,
+	 html_encode/1
 	]).
 
 
@@ -187,6 +188,13 @@ timeout(Timeout, Started) ->
     end.
     
 
+html_encode(Chars) ->
+    Reserved = sets:from_list([$&, $<, $>, $\", $', $/]),
+    lists:append(lists:map(fun(Char) ->
+	               char_to_html_entity(Char, Reserved)
+	           end, Chars)).
+
+
 %%%========================================================================
 %%% Internal functions
 %%%========================================================================
@@ -235,3 +243,11 @@ convert_to_ascii([Num | Reversed], Number)
 convert_to_ascii([Num | Reversed], Number) 
   when (Num > 9) andalso (Num < 16) ->
     convert_to_ascii(Reversed, [Num + 55 | Number]).
+
+char_to_html_entity(Char, Reserved) ->
+    case sets:is_element(Char, Reserved) of
+	true ->
+	    "&#" ++ integer_to_list(Char) ++ ";";
+	false ->
+	    [Char]
+    end.
diff --git a/lib/inets/src/http_server/httpd_util.erl b/lib/inets/src/http_server/httpd_util.erl
index 789f12652b..c1aff65d5e 100644
--- a/lib/inets/src/http_server/httpd_util.erl
+++ b/lib/inets/src/http_server/httpd_util.erl
@@ -181,7 +181,7 @@ message(304, _URL,_) ->
 message(400,none,_) ->
     "Your browser sent a query that this server could not understand.";
 message(400,Msg,_) ->
-    "Your browser sent a query that this server could not understand. "++ maybe_encode(Msg);
+    "Your browser sent a query that this server could not understand. "++ http_util:html_encode(Msg);
 message(401,none,_) ->
     "This server could not verify that you
 are authorized to access the document you
@@ -190,48 +190,48 @@ credentials (e.g., bad password), or your
 browser doesn't understand how to supply
 the credentials required.";
 message(403,RequestURI,_) ->
-    "You don't have permission to access "++ maybe_encode(RequestURI) ++" on this server.";
+    "You don't have permission to access "++ http_util:html_encode(RequestURI) ++" on this server.";
 message(404,RequestURI,_) ->
-    "The requested URL " ++ maybe_encode(RequestURI) ++ " was not found on this server.";
+    "The requested URL " ++ http_util:html_encode(RequestURI) ++ " was not found on this server.";
 message(408, Timeout, _) ->
     Timeout;
 message(412,none,_) ->
-    "The requested preconditions where false";
+    "The requested preconditions were false";
 message(413, Reason,_) ->
-    "Entity: " ++ Reason;
+    "Entity: " ++ http_util:html_encode(Reason);
 message(414,ReasonPhrase,_) ->
-    "Message "++ ReasonPhrase ++".";
+    "Message "++ http_util:html_encode(ReasonPhrase) ++".";
 message(416,ReasonPhrase,_) ->
-    ReasonPhrase;
+    http_util:html_encode(ReasonPhrase);
 
 message(500,_,ConfigDB) ->
     ServerAdmin=lookup(ConfigDB,server_admin,"unknown@unknown"),
     "The server encountered an internal error or "
 	"misconfiguration and was unable to complete "
 	"your request.<P>Please contact the server administrator "
-	++ ServerAdmin ++ ", and inform them of the time the error occurred "
+	++ http_util:html_encode(ServerAdmin) ++ ", and inform them of the time the error occurred "
 	"and anything you might have done that may have caused the error.";
 
 message(501,{Method, RequestURI, HTTPVersion}, _ConfigDB) ->
     if
 	is_atom(Method) ->
-	    atom_to_list(Method)++
-		" to "++ maybe_encode(RequestURI)++" ("++HTTPVersion++") not supported.";
+        http_util:html_encode(atom_to_list(Method))++
+		" to "++ http_util:html_encode(RequestURI)++" ("++ http_util:html_encode(HTTPVersion)++") not supported.";
 	is_list(Method) ->
-	    Method++
-		" to "++ maybe_encode(RequestURI)++" ("++HTTPVersion++") not supported."
+	    http_util:html_encode(Method)++
+		" to "++ http_util:html_encode(RequestURI)++" ("++ http_util:html_encode(HTTPVersion)++") not supported."
     end;
 
 message(503, String, _ConfigDB) ->
-    "This service in unavailable due to: "++String.
+    "This service in unavailable due to: "++ http_util:html_encode(String).
 
 maybe_encode(URI) ->
-    case lists:member($%, URI) of
-	true ->
-	    URI;
-	false ->
-	    http_uri:encode(URI)
-    end.
+    Decoded = try http_uri:decode(URI) of
+	N -> N
+    catch
+	error:_ -> URI
+    end,
+    http_uri:encode(Decoded).
 
 %%convert_rfc_date(Date)->{{YYYY,MM,DD},{HH,MIN,SEC}}
 
diff --git a/lib/inets/src/inets_app/inets.appup.src b/lib/inets/src/inets_app/inets.appup.src
index 02b1826c5f..cabc9c9834 100644
--- a/lib/inets/src/inets_app/inets.appup.src
+++ b/lib/inets/src/inets_app/inets.appup.src
@@ -21,6 +21,8 @@
   {"5.5.2", 
    [
     {load_module, ftp, soft_purge, soft_purge, []},
+    {load_module, http_util, soft_purge, soft_purge, []},
+    {load_module, httpd_util, soft_purge, soft_purge, [http_util]},
     {load_module, mod_esi, soft_purge, soft_purge, []},
     {load_module, httpc, soft_purge, soft_purge, [httpc_handler]},
     {load_module, httpc_request, soft_purge, soft_purge, []},
@@ -31,6 +33,8 @@
    [
     {load_module, ftp, soft_purge, soft_purge, []}, 
     {load_module, http_chunk, soft_purge, soft_purge, []},
+    {load_module, http_util, soft_purge, soft_purge, []},
+    {load_module, httpd_util, soft_purge, soft_purge, [http_util]},
     {load_module, mod_esi, soft_purge, soft_purge, []},
     {load_module, httpc, soft_purge, soft_purge, [httpc_handler]},
     {load_module, httpc_request, soft_purge, soft_purge, []},
@@ -53,6 +57,8 @@
   {"5.5.2",
    [
     {load_module, ftp, soft_purge, soft_purge, []}, 
+    {load_module, http_util, soft_purge, soft_purge, []},
+    {load_module, httpd_util, soft_purge, soft_purge, [http_util]},
     {load_module, mod_esi, soft_purge, soft_purge, []},
     {load_module, httpc, soft_purge, soft_purge, [httpc_handler]},
     {load_module, httpc_request, soft_purge, soft_purge, []},
@@ -63,6 +69,8 @@
    [
     {load_module, ftp, soft_purge, soft_purge, []}, 
     {load_module, http_chunk, soft_purge, soft_purge, []},
+    {load_module, http_util, soft_purge, soft_purge, []},
+    {load_module, httpd_util, soft_purge, soft_purge, [http_util]},
     {load_module, mod_esi, soft_purge, soft_purge, []},
     {load_module, httpc, soft_purge, soft_purge, [httpc_handler]},
     {load_module, httpc_request, soft_purge, soft_purge, []},
author	Micael Karlberg <[email protected]>	2011-03-18 18:37:39 +0100
committer	Micael Karlberg <[email protected]>	2011-03-18 18:37:39 +0100
commit	f39147b4c35dd06f48eba0a446dd6881aa46c917 (patch)
tree	62e15d94df972eb25b2603c97940a7f0cf3c5230 /lib/inets/src
parent	f4b5ea566829cad609e14c2264158665b84800c1 (diff)
parent	ffb2d69e00ef283eeb266f3082067429b6ce1127 (diff)
download	otp-f39147b4c35dd06f48eba0a446dd6881aa46c917.tar.gz otp-f39147b4c35dd06f48eba0a446dd6881aa46c917.tar.bz2 otp-f39147b4c35dd06f48eba0a446dd6881aa46c917.zip