blob: a2254bdbbe2bcbffac3d6b2c290b118231767f59 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
|
diff -u info2html-2.0-orig/info2html info2html-2.0/info2html
--- info2html-2.0-orig/info2html 2006-09-01 14:55:13.000000000 +0200
+++ info2html-2.0/info2html 2006-09-01 15:05:41.000000000 +0200
@@ -42,7 +42,7 @@
use CGI;
$ENV{'REQUEST_METHOD'} or
- print "Note: I'm really supposed to be run as a CGI!\n";
+ print "Note: I'm really supposed to be run as a CGI\!\n";
#-- patterns
$NODEBORDER = '\037\014?'; #-- delimiter of an info node
@@ -62,7 +62,7 @@
#---------------------------------------------------------
# Don't reveal where we're looking... --jonh 5/20/97 (and reapplied 5/4/1998)
sub DieFileNotFound{
- local($FileName) = @_;
+ local($FileName) = &XssEscape(@_);
#-- TEXT : error message if a file could not be opened
print <<"EOF";
<html><head><title>Info Files - Error Message</title>
@@ -104,6 +104,28 @@
}
#----------------------------------------------------------
+# XssEscape
+#----------------------------------------------------------
+sub XssEscape {
+ local($Tag) = @_;
+ #-- output escaping is required to protect browser
+ # against `cross site' and `cross frame scripting'
+
+ $Tag =~ s/&/&/gs; # ampersand
+ $Tag =~ s/#/#/gs;
+ $Tag =~ s/;/;/gs;
+ $Tag =~ s/[\000-\037\177-\237]/¿/gs; # "ctrl" codes 0-31 and 127-159
+ $Tag =~ s/</</gs; # less-than symbol
+ $Tag =~ s/>/>/gs; # greater-than symbol
+ $Tag =~ s/"/"/gs; # double quote
+ $Tag =~ s/\240/ /gs; # non-breaking space
+ $Tag =~ s/\255/­/gs; # soft hyphen
+ # the rest is interpreted
+ # as ISO 8859-1
+ $Tag;
+}
+
+#----------------------------------------------------------
# ParsHeaderToken
#----------------------------------------------------------
# Parses the heaer line of an info node for a specific
@@ -493,6 +515,8 @@
#----------------------------------------------------------
sub ReplyNotFoundMessage{
local($FileName,$Tag) = @_;
+ $FileName = &XssEscape($FileName);
+ $Tag = &XssEscape($Tag);
print <<"EOF";
<html><head><title>Info Files - Error Message</title>
$BOTS_STAY_AWAY
Only in info2html-2.0: info2html.orig
Only in info2html-2.0: info2html.rej
|