diff options
| author | Micael Karlberg <[email protected]> | 2011-09-15 09:43:48 +0200 |
|---|---|---|
| committer | Micael Karlberg <[email protected]> | 2011-09-15 09:43:48 +0200 |
| commit | 98fd9df4c4a04554fd2f707ca9ea2d674fad984d (patch) | |
| tree | 8861e1e85f352d828cf31f0690feaae63c0088bd /lib/inets/test/httpd_basic_SUITE.erl | |
| parent | 50261525973798faf7f62ea02356447b16e5fc56 (diff) | |
| download | otp-98fd9df4c4a04554fd2f707ca9ea2d674fad984d.tar.gz otp-98fd9df4c4a04554fd2f707ca9ea2d674fad984d.tar.bz2 otp-98fd9df4c4a04554fd2f707ca9ea2d674fad984d.zip | |
Updated http-server to make sure URLs in error-messages
are URL-encoded. Added support in http-client to use
URL-encoding. Also added the missing include directory
for the inets application.
OTP-8940
[httpd] Prevent XSS in error pages.
Prevent user controlled input from being interpreted
as HTML in error pages by encoding the reserved HTML
characters.
Michael Santos
OTP-9124
Diffstat (limited to 'lib/inets/test/httpd_basic_SUITE.erl')
| -rw-r--r-- | lib/inets/test/httpd_basic_SUITE.erl | 59 |
1 files changed, 57 insertions, 2 deletions
diff --git a/lib/inets/test/httpd_basic_SUITE.erl b/lib/inets/test/httpd_basic_SUITE.erl index f86c1fcb49..ed0fe942cf 100644 --- a/lib/inets/test/httpd_basic_SUITE.erl +++ b/lib/inets/test/httpd_basic_SUITE.erl @@ -1,7 +1,7 @@ %% %% %CopyrightBegin% %% -%% Copyright Ericsson AB 2007-2009. All Rights Reserved. +%% Copyright Ericsson AB 2007-2011. All Rights Reserved. %% %% The contents of this file are subject to the Erlang Public License, %% Version 1.1, (the "License"); you may not use this file except in @@ -25,13 +25,16 @@ %% Note: This directive should only be used in test suites. -compile(export_all). +-define(URL_START, "http://localhost:"). + all(doc) -> ["Basic test of httpd."]; all(suite) -> [ uri_too_long_414, - header_too_long_413 + header_too_long_413, + escaped_url_in_error_body ]. %%-------------------------------------------------------------------- @@ -132,5 +135,57 @@ header_too_long_413(Config) when is_list(Config) -> inets:stop(httpd, Pid). +escaped_url_in_error_body(doc) -> + ["Test Url-encoding see OTP-8940"]; +escaped_url_in_error_body(suite) -> + []; +escaped_url_in_error_body(Config) when is_list(Config) -> + HttpdConf = ?config(httpd_conf, Config), + {ok, Pid} = inets:start(httpd, [{port, 0} | HttpdConf]), + Info = httpd:info(Pid), + Port = proplists:get_value(port, Info), + _Address = proplists:get_value(bind_address, Info), + Path = "/<b>this_is_bold<b>", + URL = ?URL_START ++ integer_to_list(Port) ++ Path, + EscapedPath = http_uri:encode(Path), + case httpc:request(get, {URL, []}, + [{url_encode, true}, + {version, "HTTP/1.0"}], + [{full_result, false}]) of + {ok, {404, Body1}} -> + case find_URL_path(string:tokens(Body1, " ")) of + EscapedPath -> + ok; + BadPath1 -> + tsf({unexpected_path_1, EscapedPath, BadPath1}) + end; + {ok, UnexpectedOK1} -> + tsf({unexpected_ok_1, UnexpectedOK1}) + end, + + case httpc:request(get, {URL, []}, + [{version, "HTTP/1.0"}], + [{full_result, false}]) of + {ok, {404, Body2}} -> + HTMLEncodedPath = http_util:html_encode(Path), + case find_URL_path(string:tokens(Body2, " ")) of + HTMLEncodedPath -> + ok; + BadPath2 -> + tsf({unexpected_path_2, EscapedPath, BadPath2}) + end; + {ok, UnexpectedOK2} -> + tsf({unexpected_ok_2, UnexpectedOK2}) + end, + inets:stop(httpd, Pid). + +find_URL_path([]) -> + ""; +find_URL_path(["URL", URL | _]) -> + URL; +find_URL_path([_ | Rest]) -> + find_URL_path(Rest). +tsf(Reason) -> + test_server:fail(Reason). |