ExternalVendorCode/tahoe-lafs
1
0
Fork 0
mirror of https://github.com/tahoe-lafs/tahoe-lafs.git synced 2025-02-22 02:16:42 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

web: replace FILE links with /uri -based ones, to prevent an XSS attack against the secret vdrive URI contained in the current URL

Browse Source
This commit is contained in:
Brian Warner 2007-08-22 17:35:01 -07:00
parent 9924bb2e59
commit f3353ee5e4
2 changed files with 17 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
src/allmydata/test/test_web.py
View File

@ -646,7 +646,10 @@ class Web(WebMixin, unittest.TestCase):
# the addSlash means we get a redirect here # the addSlash means we get a redirect here
d = self.GET("/vdrive/global/foo", followRedirect=True) d = self.GET("/vdrive/global/foo", followRedirect=True)
def _check(res): def _check(res):
self.failUnless(re.search(r'<td><a href="bar.txt">bar.txt</a></td>' # the FILE reference points to a URI, but it should end in bar.txt
self.failUnless(re.search(r'<td>'
'<a href="[^"]+bar.txt">bar.txt</a>'
'</td>'
'\s+<td>FILE</td>' '\s+<td>FILE</td>'
'\s+<td>123</td>' '\s+<td>123</td>'
, res)) , res))

19
src/allmydata/webish.py
View File

@ -167,22 +167,29 @@ class Directory(rend.Page):
ctx.fillSlots("rename", rename) ctx.fillSlots("rename", rename)
# build the base of the uri_link link url # build the base of the uri_link link url
uri_link = urllib.quote(target.get_uri().replace("/", "!")) uri_link = "/uri/" + urllib.quote(target.get_uri().replace("/", "!"))
if IFileNode.providedBy(target): if IFileNode.providedBy(target):
# file # file
dlurl = urllib.quote(name)
# add the filename to the uri_link url
uri_link += '?%s' % (urllib.urlencode({'filename': name}),)
# to prevent javascript in displayed .html files from stealing a
# secret vdrive URI from the URL, send the browser to a URI-based
# page that doesn't know about the vdrive at all
#dlurl = urllib.quote(name)
dlurl = uri_link
ctx.fillSlots("filename", ctx.fillSlots("filename",
T.a(href=dlurl)[html.escape(name)]) T.a(href=dlurl)[html.escape(name)])
ctx.fillSlots("type", "FILE") ctx.fillSlots("type", "FILE")
ctx.fillSlots("size", target.get_size()) ctx.fillSlots("size", target.get_size())
text_plain_link = "/uri/%s?filename=foo.txt" % uri_link text_plain_link = uri_link + "?filename=foo.txt"
text_plain_tag = T.a(href=text_plain_link)["text/plain"] text_plain_tag = T.a(href=text_plain_link)["text/plain"]
# if we're a file, add the filename to the uri_link url
uri_link += '?%s' % (urllib.urlencode({'filename': name}),)
elif IDirectoryNode.providedBy(target): elif IDirectoryNode.providedBy(target):
# directory # directory
@ -202,7 +209,7 @@ class Directory(rend.Page):
childdata = [T.a(href="%s?t=json" % name)["JSON"], ", ", childdata = [T.a(href="%s?t=json" % name)["JSON"], ", ",
T.a(href="%s?t=uri" % name)["URI"], ", ", T.a(href="%s?t=uri" % name)["URI"], ", ",
T.a(href="%s?t=readonly-uri" % name)["readonly-URI"], ", ", T.a(href="%s?t=readonly-uri" % name)["readonly-URI"], ", ",
T.a(href="/uri/%s" % uri_link)["URI-link"], T.a(href=uri_link)["URI-link"],
] ]
if text_plain_tag: if text_plain_tag:
childdata.extend([", ", text_plain_tag]) childdata.extend([", ", text_plain_tag])