web: replace FILE links with /uri -based ones, to prevent an XSS attack against the secret vdrive URI contained in the current URL

2025-02-21 02:01:31 +00:00 · 2007-08-22 17:35:01 -07:00 · 2007-08-22 17:35:01 -07:00 · f3353ee5e4
commit f3353ee5e4
parent 9924bb2e59
2 changed files with 17 additions and 7 deletions
--- a/src/allmydata/test/test_web.py
+++ b/src/allmydata/test/test_web.py
@ -646,7 +646,10 @@ class Web(WebMixin, unittest.TestCase):
        # the addSlash means we get a redirect here
        d = self.GET("/vdrive/global/foo", followRedirect=True)
        def _check(res):
-            self.failUnless(re.search(r'<td><a href="bar.txt">bar.txt</a></td>'
+            # the FILE reference points to a URI, but it should end in bar.txt
+            self.failUnless(re.search(r'<td>'
+                                      '<a href="[^"]+bar.txt">bar.txt</a>'
+                                      '</td>'
                                      '\s+<td>FILE</td>'
                                      '\s+<td>123</td>'
                                      , res))
--- a/src/allmydata/webish.py
+++ b/src/allmydata/webish.py
@ -167,22 +167,29 @@ class Directory(rend.Page):
        ctx.fillSlots("rename", rename)

        # build the base of the uri_link link url
-        uri_link = urllib.quote(target.get_uri().replace("/", "!"))
+        uri_link = "/uri/" + urllib.quote(target.get_uri().replace("/", "!"))

        if IFileNode.providedBy(target):
            # file
-            dlurl = urllib.quote(name)
+
+            # add the filename to the uri_link url
+            uri_link += '?%s' % (urllib.urlencode({'filename': name}),)
+
+            # to prevent javascript in displayed .html files from stealing a
+            # secret vdrive URI from the URL, send the browser to a URI-based
+            # page that doesn't know about the vdrive at all
+            #dlurl = urllib.quote(name)
+            dlurl = uri_link
+
            ctx.fillSlots("filename",
                          T.a(href=dlurl)[html.escape(name)])
            ctx.fillSlots("type", "FILE")

            ctx.fillSlots("size", target.get_size())

-            text_plain_link = "/uri/%s?filename=foo.txt" % uri_link
+            text_plain_link = uri_link + "?filename=foo.txt"
            text_plain_tag = T.a(href=text_plain_link)["text/plain"]

-            # if we're a file, add the filename to the uri_link url
-            uri_link += '?%s' % (urllib.urlencode({'filename': name}),)

        elif IDirectoryNode.providedBy(target):
            # directory
@ -202,7 +209,7 @@ class Directory(rend.Page):
        childdata = [T.a(href="%s?t=json" % name)["JSON"], ", ",
                     T.a(href="%s?t=uri" % name)["URI"], ", ",
                     T.a(href="%s?t=readonly-uri" % name)["readonly-URI"], ", ",
-                     T.a(href="/uri/%s" % uri_link)["URI-link"],
+                     T.a(href=uri_link)["URI-link"],
                     ]
        if text_plain_tag:
            childdata.extend([", ", text_plain_tag])