Security: don't pass raw string to cgi_error, it expects a format

string, so pass it ("%s", str) instead. Add test case to verify that %s makes it through intact.
blong42 · Nov 29, 2011 · 14d4b94 · 14d4b94
1 parent 292a3a5
commit 14d4b94
Show file tree

Hide file tree

Showing 2 changed files with 11 additions and 1 deletion.
diff --git a/python/neo_cgi.c b/python/neo_cgi.c
@@ -178,7 +178,7 @@ static PyObject * p_cgi_error (PyObject *self, PyObject *args)
   if (!PyArg_ParseTuple(args, "s:error(str)", &s))
     return NULL;
 
-  cgi_error (cgi, s);
+  cgi_error (cgi, "%s", s);
   rv = Py_None;
   Py_INCREF(rv);
   return rv;

diff --git a/python/pywrapper_test.py b/python/pywrapper_test.py
@@ -5,6 +5,7 @@
 
 __author__ = 'blong@google.com (Brandon Long)'
 
+import StringIO
 import unittest
 
 import neo_cgi
@@ -43,6 +44,15 @@ def testCsRenderStrip(self):
   def testJsEscape(self):
     assert neo_cgi.jsEscape("\x0A \xA9") == "\\x0A \xA9"
 
+  def testValidateErrorString(self):
+    fake_stdin = StringIO.StringIO("")
+    fake_stdout = StringIO.StringIO()
+    fake_env = {}
+    neo_cgi.cgiWrap(fake_stdin, fake_stdout, fake_env)
+    ncgi = neo_cgi.CGI()
+    ncgi.error("%s")
+    assert fake_stdout.getvalue().find("%s") != -1
+
 
 def suite():
   return unittest.makeSuite(ClearsilverPythonWrapperTestCase, 'test')