Chromium Code Reviews Chromium Code Reviews
Issue 225813002:
Fix XSS issues in http_server's dir-listing and error-page. (Closed)
Base URL: https://dart.googlecode.com/svn/branches/bleeding_edge/dart| Index: pkg/http_server/lib/src/virtual_directory.dart |
| diff --git a/pkg/http_server/lib/src/virtual_directory.dart b/pkg/http_server/lib/src/virtual_directory.dart |
| index 6eef0b4208b3811dee2e362d8612e4fd200bea9f..6f423b14746843b3038de1ecedf6e848ab80454e 100644 |
| --- a/pkg/http_server/lib/src/virtual_directory.dart |
| +++ b/pkg/http_server/lib/src/virtual_directory.dart |
| @@ -255,16 +255,17 @@ class VirtualDirectory { |
| } |
| response.headers.set(HttpHeaders.LAST_MODIFIED, stats.modified); |
| - var path = request.uri.path; |
| + var path = Uri.decodeComponent(request.uri.path); |
| + var encodedPath = new HtmlEscape().convert(path); |
| var header = |
| '''<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" |
| http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> |
| <html xmlns="http://www.w3.org/1999/xhtml"> |
| <head> |
| -<title>Index of $path</title> |
| +<title>Index of $encodedPath</title> |
| </head> |
| <body> |
| -<h1>Index of $path</h1> |
| +<h1>Index of $encodedPath</h1> |
| <table> |
| <tr> |
| <td>Name</td> |
| @@ -284,16 +285,23 @@ $server |
| response.write(header); |
| void add(String name, String modified, var size) { |
| + try { |
|
Søren Gjesse
2014/04/04 12:54:26
Indentation.
Anders Johnsen
2014/04/04 12:58:13
Oops, debug try catch.
|
| if (size == null) size = "-"; |
| if (modified == null) modified = ""; |
| - var p = normalize(join(path, name)); |
| + var encodedLink = new HtmlEscape(HtmlEscapeMode.ATTRIBUTE) |
| + .convert(Uri.encodeComponent(normalize(join(path, name)))); |
| + var encodedName = new HtmlEscape().convert(name); |
| + |
| var entry = |
| ''' <tr> |
| - <td><a href="$p">$name</a></td> |
| + <td><a href="$encodedLink">$encodedName</a></td> |
| <td>$modified</td> |
| <td style="text-align: right">$size</td> |
| </tr>'''; |
| response.write(entry); |
| + } catch (e) { |
| + print(e); |
|
Søren Gjesse
2014/04/04 12:54:26
Debug print? What do do here?
Anders Johnsen
2014/04/04 12:58:13
Done.
|
| + } |
| } |
| if (path != '/') { |
| @@ -331,7 +339,8 @@ $server |
| return; |
| } |
| // Default error page. |
| - var path = request.uri.path; |
| + var path = Uri.decodeComponent(request.uri.path); |
| + var encodedPath = new HtmlEscape().convert(path); |
| var reason = response.reasonPhrase; |
| var server = response.headers.value(HttpHeaders.SERVER); |
| @@ -341,10 +350,10 @@ $server |
| http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> |
| <html xmlns="http://www.w3.org/1999/xhtml"> |
| <head> |
| -<title>$reason: $path</title> |
| +<title>$reason: $encodedPath</title> |
| </head> |
| <body> |
| -<h1>Error $error at \'$path\': $reason</h1> |
| +<h1>Error $error at \'$encodedPath\': $reason</h1> |
| $server |
| </body> |
| </html>'''; |
