cgi: escape url in 403 error output
authorJo-Philipp Wich <jo@mein.io>
Wed, 28 Nov 2018 11:36:35 +0000 (12:36 +0100)
committerJo-Philipp Wich <jo@mein.io>
Wed, 28 Nov 2018 11:36:35 +0000 (12:36 +0100)
Escape the untrusted request URL input in the permission denied HTML output.

This fixes certain XSS vulnerabilities which can be leveraged to further
exploit the system.

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
cgi.c

diff --git a/cgi.c b/cgi.c
index 0ffb130..13a0bc4 100644 (file)
--- a/cgi.c
+++ b/cgi.c
@@ -67,11 +67,18 @@ static void cgi_main(struct client *cl, struct path_info *pi, char *url)
 static void cgi_handle_request(struct client *cl, char *url, struct path_info *pi)
 {
        unsigned int mode = S_IFREG | S_IXOTH;
+       char *escaped_url;
 
        if (!pi->ip && !((pi->stat.st_mode & mode) == mode)) {
+               escaped_url = uh_htmlescape(url);
+
                uh_client_error(cl, 403, "Forbidden",
                                "You don't have permission to access %s on this server.",
-                               url);
+                               escaped_url ? escaped_url : "the url");
+
+               if (escaped_url)
+                       free(escaped_url);
+
                return;
        }