Skip to content

C
cpython
Commit a2aa1ac4 authored by Georg Brandl's avatar Georg Brandl
Browse files
Options

bug [ 1100201 ] Cross-site scripting on BaseHTTPServer

parent 379f99db
Hide whitespace changes
Inline Side-by-side
Showing with 4 additions and 1 deletion
Lib/BaseHTTPServer.py
View file @ a2aa1ac4
......@@ -89,6 +89,8 @@ DEFAULT_ERROR_MESSAGE = """\
</body>
"""
def _quote_html(html):
return html.replace("&", "&amp;").replace("<", "&lt;").replace(">", "&gt;")
class HTTPServer(SocketServer.TCPServer):
......@@ -336,8 +338,9 @@ class BaseHTTPRequestHandler(SocketServer.StreamRequestHandler):
message = short
explain = long
self.log_error("code %d, message %s", code, message)
# using _quote_html to prevent Cross Site Scripting attacks (see bug #1100201)
content = (self.error_message_format %
{'code': code, 'message': message, 'explain': explain})
{'code': code, 'message': _quote_html(message), 'explain': explain})
self.send_response(code, message)
self.send_header("Content-Type", "text/html")
self.send_header('Connection', 'close')
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment
GitLab Nexedi Edition | About GitLab | About Nexedi | 沪ICP备2021021310号-2 | 沪ICP备2021021310号-7