cgi: escape url in 403 error output

Escape the untrusted request URL input in the permission denied HTML output. This fixes certain XSS vulnerabilities which can be leveraged to further exploit the system. Signed-off-by: Jo-Philipp Wich <jo@mein.io>
author: Jo-Philipp Wich <jo@mein.io> 2018-11-28 12:36:35 +0100
committer: Jo-Philipp Wich <jo@mein.io> 2018-11-28 12:36:35 +0100
commit: cdfc902a4cb77bc538a729f9e1c8a8578454a0e5 (patch)
tree: 22e20e398768b886c734e9891382b573367344c7
parent: 0bba1ce1129e79fa3907b16b31da44670fa19fc5 (diff)
download: uhttpd2-cdfc902a4cb77bc538a729f9e1c8a8578454a0e5.tar.gz
1 files changed, 8 insertions, 1 deletions
diff --git a/cgi.c b/cgi.c
index 0ffb130..13a0bc4 100644
--- a/cgi.c
+++ b/cgi.c
@@ -67,11 +67,18 @@ static void cgi_main(struct client *cl, struct path_info *pi, char *url)
 static void cgi_handle_request(struct client *cl, char *url, struct path_info *pi)
 {
 	unsigned int mode = S_IFREG | S_IXOTH;
+	char *escaped_url;
 
 	if (!pi->ip && !((pi->stat.st_mode & mode) == mode)) {
+		escaped_url = uh_htmlescape(url);
+
 		uh_client_error(cl, 403, "Forbidden",
 				"You don't have permission to access %s on this server.",
-				url);
+				escaped_url ? escaped_url : "the url");
+
+		if (escaped_url)
+			free(escaped_url);
+
 		return;
 	}
author	Jo-Philipp Wich <jo@mein.io>	2018-11-28 12:36:35 +0100
committer	Jo-Philipp Wich <jo@mein.io>	2018-11-28 12:36:35 +0100
commit	cdfc902a4cb77bc538a729f9e1c8a8578454a0e5 (patch)
tree	22e20e398768b886c734e9891382b573367344c7
parent	0bba1ce1129e79fa3907b16b31da44670fa19fc5 (diff)
download	uhttpd2-cdfc902a4cb77bc538a729f9e1c8a8578454a0e5.tar.gz