Skip to content
Permalink
Browse files Browse the repository at this point in the history
Strip out unsafe HTML from error messages
  • Loading branch information
jcameron committed Oct 21, 2016
1 parent bb03124 commit 475cc4f
Showing 1 changed file with 26 additions and 14 deletions.
40 changes: 26 additions & 14 deletions miniserv.pl
Expand Up @@ -1254,15 +1254,16 @@ sub handle_request
# check address against access list
if (@deny && &ip_match($acptip, $localip, @deny) ||
@allow && !&ip_match($acptip, $localip, @allow)) {
&http_error(403, "Access denied for $acptip");
&http_error(403, "Access denied for ".&html_strip($acptip));
return 0;
}

if ($use_libwrap) {
# Check address with TCP-wrappers
if (!hosts_ctl($config{'pam'}, STRING_UNKNOWN,
$acptip, STRING_UNKNOWN)) {
&http_error(403, "Access denied for $acptip by TCP wrappers");
&http_error(403, "Access denied for ".&html_strip($acptip).
" by TCP wrappers");
return 0;
}
}
Expand All @@ -1286,7 +1287,7 @@ sub handle_request
}
else {
&http_error(400, "Timeout",
"Waited for that $to seconds for start of headers");
"Waited for $to seconds for start of headers");
}
}
$checked_timeout++;
Expand Down Expand Up @@ -1413,11 +1414,12 @@ sub handle_request
$header{$lastheader} .= $headline;
}
else {
&http_error(400, "Bad Header $headline");
&http_error(400, "Bad Header ".&html_strip($headline));
}
if (&is_bad_header($header{$lastheader}, $lastheader)) {
delete($header{$lastheader});
&http_error(400, "Bad Header Contents $lastheader");
&http_error(400, "Bad Header Contents ".
&html_strip($lastheader));
}
}

Expand Down Expand Up @@ -1524,7 +1526,7 @@ sub handle_request

# Reject CONNECT request, which isn't supported
if ($method eq "CONNECT" || $method eq "TRACE") {
&http_error(405, "Method $method is not supported");
&http_error(405, "Method ".&html_strip($method)." is not supported");
}

# work out accepted encodings
Expand Down Expand Up @@ -1596,7 +1598,7 @@ sub handle_request
}
}
if (!$davpath && ($method eq "SEARCH" || $method eq "PUT")) {
&http_error(400, "Bad Request method $method");
&http_error(400, "Bad Request method ".&html_strip($method));
}

# Check for password if needed
Expand Down Expand Up @@ -2016,15 +2018,17 @@ sub handle_request
($>, $<) = ($u[2], $u[2]);
}
else {
&http_error(500, "Unix user $authuser does not exist");
&http_error(500, "Unix user ".
&html_strip($authuser)." does not exist");
return 0;
}
}
}

# Check per-user IP access control
if (!&check_user_ip($baseauthuser)) {
&http_error(403, "Access denied for $acptip for $baseauthuser");
&http_error(403, "Access denied for $acptip for ".
&html_strip($baseauthuser));
return 0;
}

Expand Down Expand Up @@ -2189,7 +2193,7 @@ sub handle_request
# check filename against denyfile regexp
local $denyfile = $config{'denyfile'};
if ($denyfile && $full =~ /$denyfile/) {
&http_error(403, "Access denied to ".&html_escape($page));
&http_error(403, "Access denied to ".&html_strip($page));
return 0;
}

Expand Down Expand Up @@ -2257,7 +2261,7 @@ sub handle_request
$len = length($df); $rest = " "x(35-$len);
&write_data(sprintf
"<a href=\"%s\">%-${len}.${len}s</a>$rest %-20.20s %-10.10s\n",
&urlize($df), &html_escape($df), $fdate, $stbuf[7]);
&urlize($df), &html_strip($df), $fdate, $stbuf[7]);
}
closedir(DIR);
&log_request($loghost, $authuser, $reqline, $ok_code, &byte_count());
Expand Down Expand Up @@ -2654,7 +2658,7 @@ sub http_error
&reset_byte_count();
&write_data("<h1>Error - $_[1]</h1>\n");
if ($_[2]) {
&write_data("<pre>$_[2]</pre>\n");
&write_data("<p>$_[2]</p>\n");
}
}
&log_request($loghost, $authuser, $reqline, $_[0], &byte_count())
Expand Down Expand Up @@ -2976,7 +2980,7 @@ sub read_line
while(($idx = index($main::read_buffer, "\n")) < 0) {
if (length($main::read_buffer) > 100000 && !$nolimit) {
&http_error(414, "Request too long",
"Received excessive line <pre>$main::read_buffer</pre>");
"Received excessive line <pre>".&html_strip($main::read_buffer)."</pre>");
}

# need to read more..
Expand Down Expand Up @@ -5206,7 +5210,8 @@ sub handle_dav_request
}
}
else {
&http_error(500, "Unix user $authuser does not exist");
&http_error(500, "Unix user ".&html_strip($authuser).
" does not exist");
return 0;
}
}
Expand Down Expand Up @@ -6053,6 +6058,13 @@ sub html_escape
return $tmp;
}

sub html_strip
{
my ($tmp) = @_;
$tmp =~ s/<[^>]*>//g;
return $tmp;
}

# validate_twofactor(username, token)
# Checks if a user's two-factor token is valid or not. Returns undef on success
# or the error message on failure.
Expand Down

0 comments on commit 475cc4f

Please sign in to comment.