ui-shared: prevent malicious filename from injecting headers
This commit is contained in:
rodzic
4291453ec3
commit
513b3863d9
26
html.c
26
html.c
@ -239,6 +239,32 @@ void html_url_arg(const char *txt)
|
||||
html(txt);
|
||||
}
|
||||
|
||||
void html_header_arg_in_quotes(const char *txt)
|
||||
{
|
||||
const char *t = txt;
|
||||
while (t && *t) {
|
||||
unsigned char c = *t;
|
||||
const char *e = NULL;
|
||||
if (c == '\\')
|
||||
e = "\\\\";
|
||||
else if (c == '\r')
|
||||
e = "\\r";
|
||||
else if (c == '\n')
|
||||
e = "\\n";
|
||||
else if (c == '"')
|
||||
e = "\\\"";
|
||||
if (e) {
|
||||
html_raw(txt, t - txt);
|
||||
html(e);
|
||||
txt = t + 1;
|
||||
}
|
||||
t++;
|
||||
}
|
||||
if (t != txt)
|
||||
html(txt);
|
||||
|
||||
}
|
||||
|
||||
void html_hidden(const char *name, const char *value)
|
||||
{
|
||||
html("<input type='hidden' name='");
|
||||
|
1
html.h
1
html.h
@ -23,6 +23,7 @@ extern void html_ntxt(int len, const char *txt);
|
||||
extern void html_attr(const char *txt);
|
||||
extern void html_url_path(const char *txt);
|
||||
extern void html_url_arg(const char *txt);
|
||||
extern void html_header_arg_in_quotes(const char *txt);
|
||||
extern void html_hidden(const char *name, const char *value);
|
||||
extern void html_option(const char *value, const char *text, const char *selected_value);
|
||||
extern void html_intoption(int value, const char *text, int selected_value);
|
||||
|
@ -692,9 +692,11 @@ void cgit_print_http_headers(void)
|
||||
htmlf("Content-Type: %s\n", ctx.page.mimetype);
|
||||
if (ctx.page.size)
|
||||
htmlf("Content-Length: %zd\n", ctx.page.size);
|
||||
if (ctx.page.filename)
|
||||
htmlf("Content-Disposition: inline; filename=\"%s\"\n",
|
||||
ctx.page.filename);
|
||||
if (ctx.page.filename) {
|
||||
html("Content-Disposition: inline; filename=\"");
|
||||
html_header_arg_in_quotes(ctx.page.filename);
|
||||
html("\"\n");
|
||||
}
|
||||
if (!ctx.env.authenticated)
|
||||
html("Cache-Control: no-cache, no-store\n");
|
||||
htmlf("Last-Modified: %s\n", http_date(ctx.page.modified));
|
||||
|
Ładowanie…
Reference in New Issue
Block a user