From f9060599aeab81cb9282ddf51cc057bf1353208f Mon Sep 17 00:00:00 2001 From: Micael Karlberg Date: Tue, 25 Oct 2011 12:34:56 +0200 Subject: The XSS prevention methods used was confused if the URL was encoded (hex-encoded). OTP-9655 --- lib/inets/src/http_server/httpd_util.erl | 25 ++++++++++++++----------- 1 file changed, 14 insertions(+), 11 deletions(-) (limited to 'lib/inets/src/http_server/httpd_util.erl') diff --git a/lib/inets/src/http_server/httpd_util.erl b/lib/inets/src/http_server/httpd_util.erl index 7fe5d6d152..2e0752bcc0 100644 --- a/lib/inets/src/http_server/httpd_util.erl +++ b/lib/inets/src/http_server/httpd_util.erl @@ -180,10 +180,10 @@ message(301,URL,_) -> message(304, _URL,_) -> "The document has not been changed."; message(400, none, _) -> - "Your browser sent a query that this server could not understand."; + "Your browser sent a query that this server could not understand. "; message(400, Msg, _) -> "Your browser sent a query that this server could not understand. " ++ - http_util:html_encode(Msg); + html_encode(http_uri:decode(Msg)); message(401, none, _) -> "This server could not verify that you are authorized to access the document you @@ -193,29 +193,29 @@ browser doesn't understand how to supply the credentials required."; message(403,RequestURI,_) -> "You don't have permission to access " ++ - http_util:html_encode(RequestURI) ++ + html_encode(RequestURI) ++ " on this server."; message(404,RequestURI,_) -> "The requested URL " ++ - http_util:html_encode(RequestURI) ++ + html_encode(RequestURI) ++ " was not found on this server."; message(408, Timeout, _) -> Timeout; message(412,none,_) -> "The requested preconditions where false"; message(413, Reason,_) -> - "Entity: " ++ http_util:html_encode(Reason); + "Entity: " ++ html_encode(Reason); message(414,ReasonPhrase,_) -> - "Message " ++ http_util:html_encode(ReasonPhrase) ++ "."; + "Message " ++ html_encode(ReasonPhrase) ++ "."; message(416,ReasonPhrase,_) -> - http_util:html_encode(ReasonPhrase); + html_encode(ReasonPhrase); message(500,_,ConfigDB) -> ServerAdmin = lookup(ConfigDB, server_admin, "unknown@unknown"), "The server encountered an internal error or " "misconfiguration and was unable to complete " "your request.

Please contact the server administrator " - ++ http_util:html_encode(ServerAdmin) ++ + ++ html_encode(ServerAdmin) ++ ", and inform them of the time the error occurred " "and anything you might have done that may have caused the error."; @@ -224,17 +224,17 @@ message(501,{Method, RequestURI, HTTPVersion}, _ConfigDB) -> is_atom(Method) -> atom_to_list(Method)++ " to " ++ - http_util:html_encode(RequestURI) ++ + html_encode(RequestURI) ++ " (" ++ HTTPVersion ++ ") not supported."; is_list(Method) -> Method++ " to " ++ - http_util:html_encode(RequestURI) ++ + html_encode(RequestURI) ++ " (" ++ HTTPVersion ++ ") not supported." end; message(503, String, _ConfigDB) -> - "This service in unavailable due to: " ++ http_util:html_encode(String). + "This service in unavailable due to: " ++ html_encode(String). maybe_encode(URI) -> case lists:member($%, URI) of @@ -244,6 +244,9 @@ maybe_encode(URI) -> http_uri:encode(URI) end. +html_encode(String) -> + http_util:html_encode(http_uri:decode(String)). + %%convert_rfc_date(Date)->{{YYYY,MM,DD},{HH,MIN,SEC}} convert_request_date([D,A,Y,DateType| Rest])-> -- cgit v1.2.3 From 1577983b9b3883b74e3e460ed4f8f6916ffaa3a5 Mon Sep 17 00:00:00 2001 From: Micael Karlberg Date: Wed, 26 Oct 2011 12:20:29 +0200 Subject: Fixed hex-decoding. OTP-9655 --- lib/inets/src/http_server/httpd_util.erl | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'lib/inets/src/http_server/httpd_util.erl') diff --git a/lib/inets/src/http_server/httpd_util.erl b/lib/inets/src/http_server/httpd_util.erl index 2e0752bcc0..366843354e 100644 --- a/lib/inets/src/http_server/httpd_util.erl +++ b/lib/inets/src/http_server/httpd_util.erl @@ -183,7 +183,7 @@ message(400, none, _) -> "Your browser sent a query that this server could not understand. "; message(400, Msg, _) -> "Your browser sent a query that this server could not understand. " ++ - html_encode(http_uri:decode(Msg)); + html_encode(Msg); message(401, none, _) -> "This server could not verify that you are authorized to access the document you -- cgit v1.2.3 From 37650c5ab7d286cdf4a4afa0d6eff1d915f57cff Mon Sep 17 00:00:00 2001 From: Micael Karlberg Date: Wed, 26 Oct 2011 13:56:09 +0200 Subject: Fixed HTML encode. First *try* to hex decode uri, and then do the actual html encode. OTP-9655 --- lib/inets/src/http_server/httpd_util.erl | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) (limited to 'lib/inets/src/http_server/httpd_util.erl') diff --git a/lib/inets/src/http_server/httpd_util.erl b/lib/inets/src/http_server/httpd_util.erl index 366843354e..15bfe9c621 100644 --- a/lib/inets/src/http_server/httpd_util.erl +++ b/lib/inets/src/http_server/httpd_util.erl @@ -245,7 +245,13 @@ maybe_encode(URI) -> end. html_encode(String) -> - http_util:html_encode(http_uri:decode(String)). + try http_uri:decode(String) of + Decoded when is_list(Decoded) -> + http_util:html_encode(Decoded) + catch + _:_ -> + http_util:html_encode(String) + end. %%convert_rfc_date(Date)->{{YYYY,MM,DD},{HH,MIN,SEC}} @@ -259,7 +265,7 @@ convert_request_date([D,A,Y,DateType| Rest])-> fun convert_rfc850_date/1 end, case catch Func([D,A,Y,DateType| Rest]) of - {ok,Date} -> + {ok, Date} -> Date; _Error-> bad_date -- cgit v1.2.3