Permalink
Browse files

[fix] security issue: reflected XSS in error messages on IE6/7/8 and …

…maybe Safari, Credit:Bug reported by Alban Diquet <blanala () gmail com>
  • Loading branch information...
1 parent 29c167a commit 71e9e9942ee477881927cdae943dc71e84041e7a @BourgerieQuentin BourgerieQuentin committed Feb 1, 2012
Showing with 20 additions and 5 deletions.
  1. +6 −1 opabsl/mlbsl/bslDispatcher.ml
  2. +6 −1 stdlib/core/rpc/core/cell.opa
  3. +8 −3 stdlib/core/rpc/core/oparpc.opa
@@ -46,8 +46,13 @@ let send_json_response winfo json =
send_txt_response winfo txt
let send_error winfo txt =
+ let txt = #<If:PING_DEBUG> txt #<Else>
+ let _ = txt in "Unauthorized request"
+ #<End>
+ in
make_response ~req:winfo.HttpServerTypes.request Requestdef.SC_Unauthorized
- "text/plain" (Http_common.Result txt)
+ "text/plain"
+ (Http_common.Result txt)
winfo.HttpServerTypes.cont
let string2json str =
@@ -388,7 +388,12 @@ type middle('msg, 'ctx) = external
parser_(winfo) =
forbidden(msg) =
- do reply(winfo, msg, {forbidden})
+ #<Ifstatic:MLSTATE_PING_DEBUG>
+ #<Else>
+ _ = msg
+ msg = "Unauthorized request"
+ #<End>
+ do reply(winfo, msg, {unauthorized})
do Log.error("Cell_Server", msg)
error("Cell_server")
parser
@@ -397,9 +397,14 @@ type OpaRPC.timeout = {
)
reply_error(winfo, msg) =
+ #<Ifstatic:MLSTATE_PING_DEBUG>
+ #<Else>
+ _ = msg
+ msg = "Unauthorized request"
+ #<End>
winfo.cont(
WebCoreExport.default_make_response(
- {volatile}, winfo.http_request.request, {internal_server_error},
+ {volatile}, winfo.http_request.request, {unauthorized},
"text/plain", msg)
)
@@ -418,7 +423,7 @@ type OpaRPC.timeout = {
do Log.info("OpaRPC", "RPC call identified by {name}")
match get(name) with
| {none} ->
- _ = reply(winfo, "RPC not found", {wrong_address})
+ _ = reply_error(winfo, "RPC not found")
do Log.error("OpaRPC", "Call to the rpc \"{name}\" that doesn't exist")
error("RPC error")
@@ -429,7 +434,7 @@ type OpaRPC.timeout = {
reply(winfo, serial, {success}),
match skeleton(get_requested_post_content(winfo.http_request.request)) with
| {none} ->
- _ = reply(winfo, "Bad formatted rpc request", {forbidden})
+ _ = reply_error(winfo, "Bad formatted rpc request")
do Log.error("OpaRPC", "Call to the rpc \"{name}\" failed")
error("RPC error")
| {some = (ty,result)} ->

0 comments on commit 71e9e99

Please sign in to comment.