CVS commit: src/libexec/httpd

Sun, 28 Feb 2021 08:10:15 -0800 

Module Name:    src
Committed By:   rillig
Date:           Sun Feb 28 16:10:00 UTC 2021

Modified Files:
        src/libexec/httpd: printenv.lua

Log Message:
libexec/httpd: fix cross-site scripting in Lua example

curl \
  --header 'NAME<x>: <y>' \
  'http://127.0.0.1:8080/test/printenv?<b>=<i>'


To generate a diff of this commit:
cvs rdiff -u -r1.4 -r1.5 src/libexec/httpd/printenv.lua

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.


Modified files:

Index: src/libexec/httpd/printenv.lua
diff -u src/libexec/httpd/printenv.lua:1.4 src/libexec/httpd/printenv.lua:1.5
--- src/libexec/httpd/printenv.lua:1.4	Tue Aug 25 20:02:33 2020
+++ src/libexec/httpd/printenv.lua	Sun Feb 28 16:10:00 2021
@@ -1,4 +1,4 @@
--- $NetBSD: printenv.lua,v 1.4 2020/08/25 20:02:33 leot Exp $
+-- $NetBSD: printenv.lua,v 1.5 2021/02/28 16:10:00 rillig Exp $
 
 -- this small Lua script demonstrates the use of Lua in (bozo)httpd
 -- it will simply output the "environment"
@@ -14,6 +14,10 @@
 
 local httpd = require 'httpd'
 
+function escape_html(s)
+  return s:gsub('&', '&amp;'):gsub('<', '&lt;'):gsub('>', '&gt;'):gsub('"', '&quot;')
+end
+
 function printenv(env, headers, query)
 
 	-- we get the "environment" in the env table, the values are more
@@ -40,18 +44,18 @@ function printenv(env, headers, query)
 	httpd.print('<h2>Server Environment</h2>')
 	-- print the list of "environment" variables
 	for k, v in pairs(env) do
-		httpd.print(k .. '=' .. v .. '<br/>')
+		httpd.print(escape_html(k) .. '=' .. escape_html(v) .. '<br/>')
 	end
 
 	httpd.print('<h2>Request Headers</h2>')
 	for k, v in pairs(headers) do
-		httpd.print(k .. '=' .. v .. '<br/>')
+		httpd.print(escape_html(k) .. '=' .. escape_html(v) .. '<br/>')
 	end
 
 	if query ~= nil then
 		httpd.print('<h2>Query Variables</h2>')
 		for k, v in pairs(query) do
-			httpd.print(k .. '=' .. v .. '<br/>')
+			httpd.print(escape_html(k) .. '=' .. escape_html(v) .. '<br/>')
 		end
 	end
 
@@ -83,7 +87,7 @@ function form(env, header, query)
 		end
 
 		for k, v in pairs(query) do
-			httpd.print(k .. '=' .. v .. '<br/>')
+			httpd.print(escape_html(k) .. '=' .. escape_html(v) .. '<br/>')
 		end
 	else
 		httpd.print('No values')

Reply via email to