mirrors/cpython
1
0
Fork 0
mirror of https://github.com/python/cpython.git synced 2025-09-26 18:29:57 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 10

bug [ 1100201 ] Cross-site scripting on BaseHTTPServer

Browse source
This commit is contained in:
Georg Brandl 2005-06-26 21:33:14 +00:00
parent 379f99dbc3
commit a2aa1ac42b
1 changed files with 4 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

5
Lib/BaseHTTPServer.py
View file

@ -89,6 +89,8 @@ DEFAULT_ERROR_MESSAGE = """\
</body> </body>
""" """
def _quote_html(html):
return html.replace("&", "&amp;").replace("<", "&lt;").replace(">", "&gt;")
class HTTPServer(SocketServer.TCPServer): class HTTPServer(SocketServer.TCPServer):
@ -336,8 +338,9 @@ class BaseHTTPRequestHandler(SocketServer.StreamRequestHandler):
message = short message = short
explain = long explain = long
self.log_error("code %d, message %s", code, message) self.log_error("code %d, message %s", code, message)
# using _quote_html to prevent Cross Site Scripting attacks (see bug #1100201)
content = (self.error_message_format % content = (self.error_message_format %
{'code': code, 'message': message, 'explain': explain}) {'code': code, 'message': _quote_html(message), 'explain': explain})
self.send_response(code, message) self.send_response(code, message)
self.send_header("Content-Type", "text/html") self.send_header("Content-Type", "text/html")
self.send_header('Connection', 'close') self.send_header('Connection', 'close')