Chromium Code Reviews Chromium Code Reviews
Issue 225813002:
Fix XSS issues in http_server's dir-listing and error-page. (Closed)
Base URL: https://dart.googlecode.com/svn/branches/bleeding_edge/dart| OLD | NEW |
|---|---|
| 1 // Copyright (c) 2013, the Dart project authors. Please see the AUTHORS file | 1 // Copyright (c) 2013, the Dart project authors. Please see the AUTHORS file |
| 2 // for details. All rights reserved. Use of this source code is governed by a | 2 // for details. All rights reserved. Use of this source code is governed by a |
| 3 // BSD-style license that can be found in the LICENSE file. | 3 // BSD-style license that can be found in the LICENSE file. |
| 4 | 4 |
| 5 part of http_server; | 5 part of http_server; |
| 6 | 6 |
| 7 | 7 |
| 8 // Used for signal a directory redirecting, where a tailing slash is missing. | 8 // Used for signal a directory redirecting, where a tailing slash is missing. |
| 9 class _DirectoryRedirect { | 9 class _DirectoryRedirect { |
| 10 const _DirectoryRedirect(); | 10 const _DirectoryRedirect(); |
| (...skipping 237 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 248 var response = request.response; | 248 var response = request.response; |
| 249 dir.stat().then((stats) { | 249 dir.stat().then((stats) { |
| 250 if (request.headers.ifModifiedSince != null && | 250 if (request.headers.ifModifiedSince != null && |
| 251 !stats.modified.isAfter(request.headers.ifModifiedSince)) { | 251 !stats.modified.isAfter(request.headers.ifModifiedSince)) { |
| 252 response.statusCode = HttpStatus.NOT_MODIFIED; | 252 response.statusCode = HttpStatus.NOT_MODIFIED; |
| 253 response.close(); | 253 response.close(); |
| 254 return; | 254 return; |
| 255 } | 255 } |
| 256 | 256 |
| 257 response.headers.set(HttpHeaders.LAST_MODIFIED, stats.modified); | 257 response.headers.set(HttpHeaders.LAST_MODIFIED, stats.modified); |
| 258 var path = request.uri.path; | 258 var path = Uri.decodeComponent(request.uri.path); |
| 259 var encodedPath = new HtmlEscape().convert(path); | |
| 259 var header = | 260 var header = |
| 260 '''<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" | 261 '''<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" |
| 261 http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> | 262 http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> |
| 262 <html xmlns="http://www.w3.org/1999/xhtml"> | 263 <html xmlns="http://www.w3.org/1999/xhtml"> |
| 263 <head> | 264 <head> |
| 264 <title>Index of $path</title> | 265 <title>Index of $encodedPath</title> |
| 265 </head> | 266 </head> |
| 266 <body> | 267 <body> |
| 267 <h1>Index of $path</h1> | 268 <h1>Index of $encodedPath</h1> |
| 268 <table> | 269 <table> |
| 269 <tr> | 270 <tr> |
| 270 <td>Name</td> | 271 <td>Name</td> |
| 271 <td>Last modified</td> | 272 <td>Last modified</td> |
| 272 <td>Size</td> | 273 <td>Size</td> |
| 273 </tr> | 274 </tr> |
| 274 '''; | 275 '''; |
| 275 var server = response.headers.value(HttpHeaders.SERVER); | 276 var server = response.headers.value(HttpHeaders.SERVER); |
| 276 if (server == null) server = ""; | 277 if (server == null) server = ""; |
| 277 var footer = | 278 var footer = |
| 278 '''</table> | 279 '''</table> |
| 279 $server | 280 $server |
| 280 </body> | 281 </body> |
| 281 </html> | 282 </html> |
| 282 '''; | 283 '''; |
| 283 | 284 |
| 284 response.write(header); | 285 response.write(header); |
| 285 | 286 |
| 286 void add(String name, String modified, var size) { | 287 void add(String name, String modified, var size) { |
| 287 if (size == null) size = "-"; | 288 if (size == null) size = "-"; |
| 288 if (modified == null) modified = ""; | 289 if (modified == null) modified = ""; |
| 289 var p = normalize(join(path, name)); | 290 var encodedLink = new HtmlEscape(HtmlEscapeMode.ATTRIBUTE) |
| 291 .convert(Uri.encodeComponent(normalize(join(path, name)))); | |
| 292 var encodedName = new HtmlEscape().convert(name); | |
| 293 | |
| 290 var entry = | 294 var entry = |
| 291 ''' <tr> | 295 ''' <tr> |
| 292 <td><a href="$p">$name</a></td> | 296 <td><a href="$encodedLink">$encodedName</a></td> |
| 293 <td>$modified</td> | 297 <td>$modified</td> |
|
nweiz
2014/04/04 18:06:37
Escape [modified] as well. Even though it doesn't
Anders Johnsen
2014/04/07 07:03:08
Done.
| |
| 294 <td style="text-align: right">$size</td> | 298 <td style="text-align: right">$size</td> |
| 295 </tr>'''; | 299 </tr>'''; |
| 296 response.write(entry); | 300 response.write(entry); |
| 297 } | 301 } |
| 298 | 302 |
| 299 if (path != '/') { | 303 if (path != '/') { |
| 300 add('../', null, null); | 304 add('../', null, null); |
| 301 } | 305 } |
| 302 | 306 |
| 303 dir.list(followLinks: true).listen((entity) { | 307 dir.list(followLinks: true).listen((entity) { |
| (...skipping 20 matching lines...) Expand all Loading... | |
| 324 } | 328 } |
| 325 | 329 |
| 326 void _serveErrorPage(int error, HttpRequest request) { | 330 void _serveErrorPage(int error, HttpRequest request) { |
| 327 var response = request.response; | 331 var response = request.response; |
| 328 response.statusCode = error; | 332 response.statusCode = error; |
| 329 if (_errorCallback != null) { | 333 if (_errorCallback != null) { |
| 330 _errorCallback(request); | 334 _errorCallback(request); |
| 331 return; | 335 return; |
| 332 } | 336 } |
| 333 // Default error page. | 337 // Default error page. |
| 334 var path = request.uri.path; | 338 var path = Uri.decodeComponent(request.uri.path); |
| 339 var encodedPath = new HtmlEscape().convert(path); | |
| 335 var reason = response.reasonPhrase; | 340 var reason = response.reasonPhrase; |
| 336 | 341 |
| 337 var server = response.headers.value(HttpHeaders.SERVER); | 342 var server = response.headers.value(HttpHeaders.SERVER); |
| 338 if (server == null) server = ""; | 343 if (server == null) server = ""; |
| 339 var page = | 344 var page = |
| 340 '''<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" | 345 '''<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" |
| 341 http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> | 346 http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> |
| 342 <html xmlns="http://www.w3.org/1999/xhtml"> | 347 <html xmlns="http://www.w3.org/1999/xhtml"> |
| 343 <head> | 348 <head> |
| 344 <title>$reason: $path</title> | 349 <title>$reason: $encodedPath</title> |
| 345 </head> | 350 </head> |
| 346 <body> | 351 <body> |
| 347 <h1>Error $error at \'$path\': $reason</h1> | 352 <h1>Error $error at \'$encodedPath\': $reason</h1> |
|
nweiz
2014/04/04 18:06:37
Escape [error] and [reason].
Anders Johnsen
2014/04/07 07:03:08
Done.
| |
| 348 $server | 353 $server |
| 349 </body> | 354 </body> |
| 350 </html>'''; | 355 </html>'''; |
| 351 response.write(page); | 356 response.write(page); |
| 352 response.close(); | 357 response.close(); |
| 353 } | 358 } |
| 354 } | 359 } |
| 355 | 360 |
| 356 class _VirtualDirectoryFileStream extends StreamConsumer<List<int>> { | 361 class _VirtualDirectoryFileStream extends StreamConsumer<List<int>> { |
| 357 final HttpResponse response; | 362 final HttpResponse response; |
| (...skipping 43 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 401 | 406 |
| 402 Future close() => new Future.value(); | 407 Future close() => new Future.value(); |
| 403 | 408 |
| 404 void setMimeType(List<int> bytes) { | 409 void setMimeType(List<int> bytes) { |
| 405 var mimeType = lookupMimeType(path, headerBytes: bytes); | 410 var mimeType = lookupMimeType(path, headerBytes: bytes); |
| 406 if (mimeType != null) { | 411 if (mimeType != null) { |
| 407 response.headers.contentType = ContentType.parse(mimeType); | 412 response.headers.contentType = ContentType.parse(mimeType); |
| 408 } | 413 } |
| 409 } | 414 } |
| 410 } | 415 } |
| OLD | NEW |
