Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(76)

Issues Search
    My Issues | Starred     Open | Closed | All

Unified Diff: pkg/http_server/lib/src/virtual_directory.dart

Issue 225813002: Fix XSS issues in http_server's dir-listing and error-page. (Closed) Base URL: https://dart.googlecode.com/svn/branches/bleeding_edge/dart
Patch Set: Remove debug code. Created 6 years, 9 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View side-by-side diff with in-line comments
Download patch
« no previous file with comments | « no previous file | pkg/http_server/test/virtual_directory_test.dart » ('j') | pkg/http_server/test/virtual_directory_test.dart » ('J')
Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
Index: pkg/http_server/lib/src/virtual_directory.dart
diff --git a/pkg/http_server/lib/src/virtual_directory.dart b/pkg/http_server/lib/src/virtual_directory.dart
index 6eef0b4208b3811dee2e362d8612e4fd200bea9f..a5aed2466c7398eba7360df5b523d772e821a6c0 100644
--- a/pkg/http_server/lib/src/virtual_directory.dart
+++ b/pkg/http_server/lib/src/virtual_directory.dart
@@ -255,16 +255,17 @@ class VirtualDirectory {
}
response.headers.set(HttpHeaders.LAST_MODIFIED, stats.modified);
- var path = request.uri.path;
+ var path = Uri.decodeComponent(request.uri.path);
+ var encodedPath = new HtmlEscape().convert(path);
var header =
'''<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
-<title>Index of $path</title>
+<title>Index of $encodedPath</title>
</head>
<body>
-<h1>Index of $path</h1>
+<h1>Index of $encodedPath</h1>
<table>
<tr>
<td>Name</td>
@@ -286,10 +287,13 @@ $server
void add(String name, String modified, var size) {
if (size == null) size = "-";
if (modified == null) modified = "";
- var p = normalize(join(path, name));
+ var encodedLink = new HtmlEscape(HtmlEscapeMode.ATTRIBUTE)
+ .convert(Uri.encodeComponent(normalize(join(path, name))));
+ var encodedName = new HtmlEscape().convert(name);
+
var entry =
''' <tr>
- <td><a href="$p">$name</a></td>
+ <td><a href="$encodedLink">$encodedName</a></td>
<td>$modified</td>
nweiz 2014/04/04 18:06:37 Escape [modified] as well. Even though it doesn't
Anders Johnsen 2014/04/07 07:03:08 Done.
<td style="text-align: right">$size</td>
</tr>''';
@@ -331,7 +335,8 @@ $server
return;
}
// Default error page.
- var path = request.uri.path;
+ var path = Uri.decodeComponent(request.uri.path);
+ var encodedPath = new HtmlEscape().convert(path);
var reason = response.reasonPhrase;
var server = response.headers.value(HttpHeaders.SERVER);
@@ -341,10 +346,10 @@ $server
http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
-<title>$reason: $path</title>
+<title>$reason: $encodedPath</title>
</head>
<body>
-<h1>Error $error at \'$path\': $reason</h1>
+<h1>Error $error at \'$encodedPath\': $reason</h1>
nweiz 2014/04/04 18:06:37 Escape [error] and [reason].
Anders Johnsen 2014/04/07 07:03:08 Done.
$server
</body>
</html>''';
« no previous file with comments | « no previous file | pkg/http_server/test/virtual_directory_test.dart » ('j') | pkg/http_server/test/virtual_directory_test.dart » ('J')

Powered by Google App Engine
This is Rietveld 408576698