diff options
author | Marcel Hellkamp <marc@gsites.de> | 2011-12-17 14:54:28 +0100 |
---|---|---|
committer | Marcel Hellkamp <marc@gsites.de> | 2011-12-22 19:43:32 +0100 |
commit | 58440a5d88597357978e1437c50d57beb9868dec (patch) | |
tree | f8a6425462d15bcddb232678f22182b3d5d0e299 | |
parent | be5a5fd08dd3f65c9f83ad337756e8a4f8f69e04 (diff) | |
download | bottle-58440a5d88597357978e1437c50d57beb9868dec.tar.gz |
fix #267: Possible XSS vulnerability on internal server errors.
-rwxr-xr-x | bottle.py | 12 |
1 files changed, 7 insertions, 5 deletions
@@ -751,12 +751,14 @@ class Bottle(object): except Exception, e: if not self.catchall: raise err = '<h1>Critical error while processing request: %s</h1>' \ - % environ.get('PATH_INFO', '/') + % cgi.escape(environ.get('PATH_INFO', '/')) if DEBUG: - err += '<h2>Error:</h2>\n<pre>%s</pre>\n' % repr(e) - err += '<h2>Traceback:</h2>\n<pre>%s</pre>\n' % format_exc(10) - environ['wsgi.errors'].write(err) #TODO: wsgi.error should not get html - start_response('500 INTERNAL SERVER ERROR', [('Content-Type', 'text/html')]) + err += '<h2>Error:</h2>\n<pre>\n%s\n</pre>\n' \ + '<h2>Traceback:</h2>\n<pre>\n%s\n</pre>\n' \ + % (cgi.escape(repr(e)), cgi.escape(format_exc(10))) + environ['wsgi.errors'].write(err) + headers = [('Content-Type', 'text/html; charset=UTF-8')] + start_response('500 INTERNAL SERVER ERROR', headers) return [tob(err)] def __call__(self, environ, start_response): |