diff options
author | Ian Bicking <ianb@colorstudy.com> | 2010-09-14 10:57:29 -0500 |
---|---|---|
committer | Ian Bicking <ianb@colorstudy.com> | 2010-09-14 10:57:29 -0500 |
commit | 2f43ca51972a0cfa19b8dfedb38aa1eca3d21d79 (patch) | |
tree | 4c553cbecc5a9a2d65d7738023be9fdd7b7a85e1 | |
parent | f135179046751bd421eba341cc56da0c984dbea8 (diff) | |
download | paste-2f43ca51972a0cfa19b8dfedb38aa1eca3d21d79.tar.gz |
Just a bit more paranoia in quoting comments, though I wasn't able to reproduce any actual issue
-rw-r--r-- | docs/news.txt | 3 | ||||
-rw-r--r-- | paste/httpexceptions.py | 2 | ||||
-rw-r--r-- | paste/util/quoting.py | 9 | ||||
-rw-r--r-- | tests/test_urlmap.py | 2 |
4 files changed, 13 insertions, 3 deletions
diff --git a/docs/news.txt b/docs/news.txt index 38231d3..9c58f63 100644 --- a/docs/news.txt +++ b/docs/news.txt @@ -30,7 +30,8 @@ tip :class:`paste.urlparser.StaticURLParser` and :class:`paste.urlmap.URLMap`. If you ask for a path with ``/--><script>...`` that will be inserted in the error page and can - execute Javascript. Reported by Tim Wintle. + execute Javascript. Reported by Tim Wintle with further details + from Georg-Christian Pranschke. * Replaced :func:`paste.util.mimeparse.desired_match` diff --git a/paste/httpexceptions.py b/paste/httpexceptions.py index 208d5cf..ede4f7e 100644 --- a/paste/httpexceptions.py +++ b/paste/httpexceptions.py @@ -212,7 +212,7 @@ class HTTPException(Exception): def plain(self, environ): """ text/plain representation of the exception """ - body = self.make_body(environ, strip_html(self.template), comment_quote) + body = self.make_body(environ, strip_html(self.template), no_quote, comment_quote) return ('%s %s\r\n%s\r\n' % (self.code, self.title, body)) def html(self, environ): diff --git a/paste/util/quoting.py b/paste/util/quoting.py index 582cc40..6184752 100644 --- a/paste/util/quoting.py +++ b/paste/util/quoting.py @@ -77,11 +77,18 @@ def no_quote(s): return s _comment_quote_re = re.compile(r'\-\s*\>') +# Everything but \r, \n, \t: +_bad_chars_re = re.compile('[\x00-\x08\x0b-\x0c\x0e-\x1f]') def comment_quote(s): """ Quote that makes sure text can't escape a comment """ - return _comment_quote_re.sub('->', str(s)) + comment = str(s) + #comment = _bad_chars_re.sub('', comment) + #print 'in ', repr(str(s)) + #print 'out', repr(comment) + comment = _comment_quote_re.sub('->', comment) + return comment url_quote = urllib.quote url_unquote = urllib.unquote diff --git a/tests/test_urlmap.py b/tests/test_urlmap.py index 60b66eb..9f77ca2 100644 --- a/tests/test_urlmap.py +++ b/tests/test_urlmap.py @@ -45,3 +45,5 @@ def test_404(): app = TestApp(mapper, extra_environ={'HTTP_ACCEPT': 'text/html'}) res = app.get("/-->%0D<script>alert('xss')</script>", status=404) assert '--><script' not in res.body + res = app.get("/--%01><script>", status=404) + assert '--\x01><script>' not in res.body |