Chromium Code Reviews Chromium Code Reviews
Issue 225813002:
Fix XSS issues in http_server's dir-listing and error-page. (Closed)
Base URL: https://dart.googlecode.com/svn/branches/bleeding_edge/dart| OLD | NEW |
|---|---|
| 1 // Copyright (c) 2013, the Dart project authors. Please see the AUTHORS file | 1 // Copyright (c) 2013, the Dart project authors. Please see the AUTHORS file |
| 2 // for details. All rights reserved. Use of this source code is governed by a | 2 // for details. All rights reserved. Use of this source code is governed by a |
| 3 // BSD-style license that can be found in the LICENSE file. | 3 // BSD-style license that can be found in the LICENSE file. |
| 4 | 4 |
| 5 part of http_server; | 5 part of http_server; |
| 6 | 6 |
| 7 | 7 |
| 8 // Used for signal a directory redirecting, where a tailing slash is missing. | 8 // Used for signal a directory redirecting, where a tailing slash is missing. |
| 9 class _DirectoryRedirect { | 9 class _DirectoryRedirect { |
| 10 const _DirectoryRedirect(); | 10 const _DirectoryRedirect(); |
| (...skipping 237 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 248 var response = request.response; | 248 var response = request.response; |
| 249 dir.stat().then((stats) { | 249 dir.stat().then((stats) { |
| 250 if (request.headers.ifModifiedSince != null && | 250 if (request.headers.ifModifiedSince != null && |
| 251 !stats.modified.isAfter(request.headers.ifModifiedSince)) { | 251 !stats.modified.isAfter(request.headers.ifModifiedSince)) { |
| 252 response.statusCode = HttpStatus.NOT_MODIFIED; | 252 response.statusCode = HttpStatus.NOT_MODIFIED; |
| 253 response.close(); | 253 response.close(); |
| 254 return; | 254 return; |
| 255 } | 255 } |
| 256 | 256 |
| 257 response.headers.set(HttpHeaders.LAST_MODIFIED, stats.modified); | 257 response.headers.set(HttpHeaders.LAST_MODIFIED, stats.modified); |
| 258 var path = request.uri.path; | 258 var path = Uri.decodeComponent(request.uri.path); |
| 259 var encodedPath = new HtmlEscape().convert(path); | |
| 259 var header = | 260 var header = |
| 260 '''<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" | 261 '''<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" |
| 261 http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> | 262 http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> |
| 262 <html xmlns="http://www.w3.org/1999/xhtml"> | 263 <html xmlns="http://www.w3.org/1999/xhtml"> |
| 263 <head> | 264 <head> |
| 264 <title>Index of $path</title> | 265 <title>Index of $encodedPath</title> |
| 265 </head> | 266 </head> |
| 266 <body> | 267 <body> |
| 267 <h1>Index of $path</h1> | 268 <h1>Index of $encodedPath</h1> |
| 268 <table> | 269 <table> |
| 269 <tr> | 270 <tr> |
| 270 <td>Name</td> | 271 <td>Name</td> |
| 271 <td>Last modified</td> | 272 <td>Last modified</td> |
| 272 <td>Size</td> | 273 <td>Size</td> |
| 273 </tr> | 274 </tr> |
| 274 '''; | 275 '''; |
| 275 var server = response.headers.value(HttpHeaders.SERVER); | 276 var server = response.headers.value(HttpHeaders.SERVER); |
| 276 if (server == null) server = ""; | 277 if (server == null) server = ""; |
| 277 var footer = | 278 var footer = |
| 278 '''</table> | 279 '''</table> |
| 279 $server | 280 $server |
| 280 </body> | 281 </body> |
| 281 </html> | 282 </html> |
| 282 '''; | 283 '''; |
| 283 | 284 |
| 284 response.write(header); | 285 response.write(header); |
| 285 | 286 |
| 286 void add(String name, String modified, var size) { | 287 void add(String name, String modified, var size) { |
| 288 try { | |
|
Søren Gjesse
2014/04/04 12:54:26
Indentation.
Anders Johnsen
2014/04/04 12:58:13
Oops, debug try catch.
| |
| 287 if (size == null) size = "-"; | 289 if (size == null) size = "-"; |
| 288 if (modified == null) modified = ""; | 290 if (modified == null) modified = ""; |
| 289 var p = normalize(join(path, name)); | 291 var encodedLink = new HtmlEscape(HtmlEscapeMode.ATTRIBUTE) |
| 292 .convert(Uri.encodeComponent(normalize(join(path, name)))); | |
| 293 var encodedName = new HtmlEscape().convert(name); | |
| 294 | |
| 290 var entry = | 295 var entry = |
| 291 ''' <tr> | 296 ''' <tr> |
| 292 <td><a href="$p">$name</a></td> | 297 <td><a href="$encodedLink">$encodedName</a></td> |
| 293 <td>$modified</td> | 298 <td>$modified</td> |
| 294 <td style="text-align: right">$size</td> | 299 <td style="text-align: right">$size</td> |
| 295 </tr>'''; | 300 </tr>'''; |
| 296 response.write(entry); | 301 response.write(entry); |
| 302 } catch (e) { | |
| 303 print(e); | |
|
Søren Gjesse
2014/04/04 12:54:26
Debug print? What do do here?
Anders Johnsen
2014/04/04 12:58:13
Done.
| |
| 304 } | |
| 297 } | 305 } |
| 298 | 306 |
| 299 if (path != '/') { | 307 if (path != '/') { |
| 300 add('../', null, null); | 308 add('../', null, null); |
| 301 } | 309 } |
| 302 | 310 |
| 303 dir.list(followLinks: true).listen((entity) { | 311 dir.list(followLinks: true).listen((entity) { |
| 304 if (entity is File) { | 312 if (entity is File) { |
| 305 var stat = entity.statSync(); | 313 var stat = entity.statSync(); |
| 306 add(basename(entity.path), | 314 add(basename(entity.path), |
| (...skipping 17 matching lines...) Expand all Loading... | |
| 324 } | 332 } |
| 325 | 333 |
| 326 void _serveErrorPage(int error, HttpRequest request) { | 334 void _serveErrorPage(int error, HttpRequest request) { |
| 327 var response = request.response; | 335 var response = request.response; |
| 328 response.statusCode = error; | 336 response.statusCode = error; |
| 329 if (_errorCallback != null) { | 337 if (_errorCallback != null) { |
| 330 _errorCallback(request); | 338 _errorCallback(request); |
| 331 return; | 339 return; |
| 332 } | 340 } |
| 333 // Default error page. | 341 // Default error page. |
| 334 var path = request.uri.path; | 342 var path = Uri.decodeComponent(request.uri.path); |
| 343 var encodedPath = new HtmlEscape().convert(path); | |
| 335 var reason = response.reasonPhrase; | 344 var reason = response.reasonPhrase; |
| 336 | 345 |
| 337 var server = response.headers.value(HttpHeaders.SERVER); | 346 var server = response.headers.value(HttpHeaders.SERVER); |
| 338 if (server == null) server = ""; | 347 if (server == null) server = ""; |
| 339 var page = | 348 var page = |
| 340 '''<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" | 349 '''<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" |
| 341 http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> | 350 http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> |
| 342 <html xmlns="http://www.w3.org/1999/xhtml"> | 351 <html xmlns="http://www.w3.org/1999/xhtml"> |
| 343 <head> | 352 <head> |
| 344 <title>$reason: $path</title> | 353 <title>$reason: $encodedPath</title> |
| 345 </head> | 354 </head> |
| 346 <body> | 355 <body> |
| 347 <h1>Error $error at \'$path\': $reason</h1> | 356 <h1>Error $error at \'$encodedPath\': $reason</h1> |
| 348 $server | 357 $server |
| 349 </body> | 358 </body> |
| 350 </html>'''; | 359 </html>'''; |
| 351 response.write(page); | 360 response.write(page); |
| 352 response.close(); | 361 response.close(); |
| 353 } | 362 } |
| 354 } | 363 } |
| 355 | 364 |
| 356 class _VirtualDirectoryFileStream extends StreamConsumer<List<int>> { | 365 class _VirtualDirectoryFileStream extends StreamConsumer<List<int>> { |
| 357 final HttpResponse response; | 366 final HttpResponse response; |
| (...skipping 43 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 401 | 410 |
| 402 Future close() => new Future.value(); | 411 Future close() => new Future.value(); |
| 403 | 412 |
| 404 void setMimeType(List<int> bytes) { | 413 void setMimeType(List<int> bytes) { |
| 405 var mimeType = lookupMimeType(path, headerBytes: bytes); | 414 var mimeType = lookupMimeType(path, headerBytes: bytes); |
| 406 if (mimeType != null) { | 415 if (mimeType != null) { |
| 407 response.headers.contentType = ContentType.parse(mimeType); | 416 response.headers.contentType = ContentType.parse(mimeType); |
| 408 } | 417 } |
| 409 } | 418 } |
| 410 } | 419 } |
| OLD | NEW |
