diff options
author | Marcel Hellkamp <marc@gsites.de> | 2011-12-17 14:54:28 +0100 |
---|---|---|
committer | Marcel Hellkamp <marc@gsites.de> | 2011-12-17 14:57:45 +0100 |
commit | b7880d34bec5a2e56b649788f24863d9b308152c (patch) | |
tree | 42ffedc8ea16734560027d71e6ef9946b63c3d66 | |
parent | 333618d568ee5fc6d594c4b4453477380aa77174 (diff) | |
download | bottle-b7880d34bec5a2e56b649788f24863d9b308152c.tar.gz |
fix #267: Possible XSS vulnerability on internal server errors.
-rwxr-xr-x | bottle.py | 12 |
1 files changed, 7 insertions, 5 deletions
@@ -834,12 +834,14 @@ class Bottle(object): except Exception, e: if not self.catchall: raise err = '<h1>Critical error while processing request: %s</h1>' \ - % environ.get('PATH_INFO', '/') + % html_escape(environ.get('PATH_INFO', '/')) if DEBUG: - err += '<h2>Error:</h2>\n<pre>%s</pre>\n' % repr(e) - err += '<h2>Traceback:</h2>\n<pre>%s</pre>\n' % format_exc(10) - environ['wsgi.errors'].write(err) #TODO: wsgi.error should not get html - start_response('500 INTERNAL SERVER ERROR', [('Content-Type', 'text/html')]) + err += '<h2>Error:</h2>\n<pre>\n%s\n</pre>\n' \ + '<h2>Traceback:</h2>\n<pre>\n%s\n</pre>\n' \ + % (html_escape(repr(_e())), html_escape(format_exc(10))) + environ['wsgi.errors'].write(err) + headers = [('Content-Type', 'text/html; charset=UTF-8')] + start_response('500 INTERNAL SERVER ERROR', headers) return [tob(err)] def __call__(self, environ, start_response): |