/index.html

From f9060599aeab81cb9282ddf51cc057bf1353208f Mon Sep 17 00:00:00 2001 From: Micael Karlberg Date: Tue, 25 Oct 2011 12:34:56 +0200 Subject: The XSS prevention methods used was confused if the URL was encoded (hex-encoded). OTP-9655 --- lib/inets/test/httpd_basic_SUITE.erl | 144 ++++++++++++++++++++++++++++------- 1 file changed, 117 insertions(+), 27 deletions(-) (limited to 'lib/inets/test/httpd_basic_SUITE.erl') diff --git a/lib/inets/test/httpd_basic_SUITE.erl b/lib/inets/test/httpd_basic_SUITE.erl index ed0fe942cf..581c9c5782 100644 --- a/lib/inets/test/httpd_basic_SUITE.erl +++ b/lib/inets/test/httpd_basic_SUITE.erl @@ -49,9 +49,28 @@ all(suite) -> init_per_suite(Config) -> ok = inets:start(), PrivDir = ?config(priv_dir, Config), - HttpdConf = [{port, 0}, {ipfamily, inet}, - {server_name, "httpd_test"}, {server_root, PrivDir}, - {document_root, PrivDir}, {bind_address, "localhost"}], + + Dummy = +" + +/index.html + + +DUMMY + +", + + DummyFile = filename:join([PrivDir,"dummy.html"]), + {ok, Fd} = file:open(DummyFile, [write]), + ok = file:write(Fd, Dummy), + ok = file:close(Fd), + HttpdConf = [{port, 0}, + {ipfamily, inet}, + {server_name, "httpd_test"}, + {server_root, PrivDir}, + {document_root, PrivDir}, + {bind_address, "localhost"}], + [{httpd_conf, HttpdConf} | Config]. %%-------------------------------------------------------------------- @@ -115,6 +134,10 @@ uri_too_long_414(Config) when is_list(Config) -> {version, "HTTP/0.9"}]), inets:stop(httpd, Pid). + +%%------------------------------------------------------------------------- +%%------------------------------------------------------------------------- + header_too_long_413(doc) -> ["Test that too long headers's get 413 HTTP code"]; header_too_long_413(suite) -> @@ -135,49 +158,92 @@ header_too_long_413(Config) when is_list(Config) -> inets:stop(httpd, Pid). +%%------------------------------------------------------------------------- +%%------------------------------------------------------------------------- + escaped_url_in_error_body(doc) -> ["Test Url-encoding see OTP-8940"]; escaped_url_in_error_body(suite) -> []; escaped_url_in_error_body(Config) when is_list(Config) -> + tsp("escaped_url_in_error_body -> entry"), HttpdConf = ?config(httpd_conf, Config), {ok, Pid} = inets:start(httpd, [{port, 0} | HttpdConf]), Info = httpd:info(Pid), - Port = proplists:get_value(port, Info), + Port = proplists:get_value(port, Info), _Address = proplists:get_value(bind_address, Info), - Path = "/this_is_bold", - URL = ?URL_START ++ integer_to_list(Port) ++ Path, - EscapedPath = http_uri:encode(Path), - case httpc:request(get, {URL, []}, - [{url_encode, true}, - {version, "HTTP/1.0"}], + + %% Request 1 + tsp("escaped_url_in_error_body -> request 1"), + URL1 = ?URL_START ++ integer_to_list(Port), + %% Make sure the server is ok, by making a request for a valid page + case httpc:request(get, {URL1 ++ "/dummy.html", []}, + [{url_encode, false}, + {version, "HTTP/1.0"}], [{full_result, false}]) of - {ok, {404, Body1}} -> - case find_URL_path(string:tokens(Body1, " ")) of - EscapedPath -> - ok; - BadPath1 -> - tsf({unexpected_path_1, EscapedPath, BadPath1}) - end; + {ok, {200, _}} -> + %% Don't care about the the body, just that we get a ok response + ok; {ok, UnexpectedOK1} -> tsf({unexpected_ok_1, UnexpectedOK1}) end, - case httpc:request(get, {URL, []}, - [{version, "HTTP/1.0"}], + %% Request 2 + tsp("escaped_url_in_error_body -> request 2"), + %% Make sure the server is ok, by making a request for a valid page + case httpc:request(get, {URL1 ++ "/dummy.html", []}, + [{url_encode, true}, + {version, "HTTP/1.0"}], + [{full_result, false}]) of + {ok, {200, _}} -> + %% Don't care about the the body, just that we get a ok response + ok; + {ok, UnexpectedOK2} -> + tsf({unexpected_ok_2, UnexpectedOK2}) + end, + + %% Request 3 + tsp("escaped_url_in_error_body -> request 3"), + %% Ask for a non-existing page(1) + Path = "/this_is_bold", + HTMLEncodedPath = http_util:html_encode(Path), + URL2 = URL1 ++ Path, + case httpc:request(get, {URL2, []}, + [{url_encode, true}, + {version, "HTTP/1.0"}], [{full_result, false}]) of - {ok, {404, Body2}} -> - HTMLEncodedPath = http_util:html_encode(Path), - case find_URL_path(string:tokens(Body2, " ")) of + {ok, {404, Body3}} -> + case find_URL_path(string:tokens(Body3, " ")) of HTMLEncodedPath -> ok; - BadPath2 -> - tsf({unexpected_path_2, EscapedPath, BadPath2}) + BadPath3 -> + tsf({unexpected_path_3, HTMLEncodedPath, BadPath3}) end; - {ok, UnexpectedOK2} -> - tsf({unexpected_ok_2, UnexpectedOK2}) + {ok, UnexpectedOK3} -> + tsf({unexpected_ok_1, UnexpectedOK3}) + end, + + %% Request 4 + tsp("escaped_url_in_error_body -> request 4"), + %% Ask for a non-existing page(2) + case httpc:request(get, {URL2, []}, + [{url_encode, false}, + {version, "HTTP/1.0"}], + [{full_result, false}]) of + {ok, {404, Body4}} -> + case find_URL_path(string:tokens(Body4, " ")) of + HTMLEncodedPath -> + ok; + BadPath4 -> + tsf({unexpected_path_2, HTMLEncodedPath, BadPath4}) + end; + {ok, UnexpectedOK4} -> + tsf({unexpected_ok_4, UnexpectedOK4}) end, - inets:stop(httpd, Pid). + tsp("escaped_url_in_error_body -> stop inets"), + inets:stop(httpd, Pid), + tsp("escaped_url_in_error_body -> done"), + ok. find_URL_path([]) -> ""; @@ -189,3 +255,27 @@ find_URL_path([_ | Rest]) -> tsf(Reason) -> test_server:fail(Reason). + +tsp(F) -> + tsp(F, []). +tsp(F, A) -> + Timestamp = formated_timestamp(), + test_server:format("** ~s ** ~p ~p:" ++ F ++ "~n", + [Timestamp, self(), ?MODULE | A]). + +formated_timestamp() -> + format_timestamp( os:timestamp() ). + +format_timestamp({_N1, _N2, N3} = Now) -> + {Date, Time} = calendar:now_to_datetime(Now), + {YYYY,MM,DD} = Date, + {Hour,Min,Sec} = Time, + FormatDate = + io_lib:format("~.4w:~.2.0w:~.2.0w ~.2.0w:~.2.0w:~.2.0w 4~w", + [YYYY,MM,DD,Hour,Min,Sec,round(N3/1000)]), + lists:flatten(FormatDate). + + +skip(Reason) -> + {skip, Reason}. + -- cgit v1.2.3