Mercurial > p > roundup > code
diff roundup/cgi/client.py @ 1685:b6621f8bd496 maint-0.5
backported XSS message cleaning fix [SF#757128]
| author | Richard Jones <richard@users.sourceforge.net> |
|---|---|
| date | Tue, 24 Jun 2003 03:33:56 +0000 |
| parents | 02ed2b7180e0 |
| children | 03170eb33b82 |
line wrap: on
line diff
--- a/roundup/cgi/client.py Tue Jun 24 03:09:35 2003 +0000 +++ b/roundup/cgi/client.py Tue Jun 24 03:33:56 2003 +0000 @@ -1,4 +1,4 @@ -# $Id: client.py,v 1.65.2.9 2003-06-19 23:02:32 richard Exp $ +# $Id: client.py,v 1.65.2.10 2003-06-24 03:33:56 richard Exp $ __doc__ = """ WWW request handler (also used in the stand-alone server). @@ -47,10 +47,16 @@ description="User may manipulate user Roles through the web") security.addPermissionToRole('Admin', p) -def clean_message(match, ok={'a':1,'i':1,'b':1,'br':1}): +# used to clean messages passed through CGI variables - HTML-escape any tag +# that isn't <a href="">, <i>, <b> and <br> (including XHTML variants) so +# that people can't pass through nasties like <script>, <iframe>, ... +CLEAN_MESSAGE_RE = r'(<(/?(.*?)(\s*href="[^"]")?\s*/?)>)' +def clean_message(message, mc=re.compile(CLEAN_MESSAGE_RE, re.I)): + return mc.sub(clean_message_callback, message) +def clean_message_callback(match, ok={'a':1,'i':1,'b':1,'br':1}): ''' Strip all non <a>,<i>,<b> and <br> tags from a string ''' - if ok.has_key(match.group(2)): + if ok.has_key(match.group(3).lower()): return match.group(1) return '<%s>'%match.group(2) @@ -256,8 +262,7 @@ # reopen the database as the correct user self.opendb(self.user) - def determine_context(self, dre=re.compile(r'([^\d]+)(\d+)'), - mc=re.compile(r'(</?(.*?)>)')): + def determine_context(self, dre=re.compile(r'([^\d]+)(\d+)')): ''' Determine the context of this page from the URL: The URL path after the instance identifier is examined. The path @@ -339,10 +344,10 @@ # see if we were passed in a message if self.form.has_key(':ok_message'): - msg = mc.sub(clean_message, self.form[':ok_message'].value) + msg = clean_message(self.form[':ok_message'].value) self.ok_message.append(msg) if self.form.has_key(':error_message'): - msg = mc.sub(clean_message, self.form[':error_message'].value) + msg = clean_message(self.form[':error_message'].value) self.error_message.append(msg) def serve_file(self, designator, dre=re.compile(r'([^\d]+)(\d+)')):