diff options
author | Georg Brandl <georg@python.org> | 2005-06-26 21:33:14 (GMT) |
---|---|---|
committer | Georg Brandl <georg@python.org> | 2005-06-26 21:33:14 (GMT) |
commit | a2aa1ac42b02e473a00cd1be225c750726869b41 (patch) | |
tree | 18859a3c524e927345a7e363ba54b04d094bb3ef | |
parent | 379f99dbc34db20d62e77175003a25a6ec22885b (diff) | |
download | cpython-a2aa1ac42b02e473a00cd1be225c750726869b41.zip cpython-a2aa1ac42b02e473a00cd1be225c750726869b41.tar.gz cpython-a2aa1ac42b02e473a00cd1be225c750726869b41.tar.bz2 |
bug [ 1100201 ] Cross-site scripting on BaseHTTPServer
-rw-r--r-- | Lib/BaseHTTPServer.py | 5 |
1 files changed, 4 insertions, 1 deletions
diff --git a/Lib/BaseHTTPServer.py b/Lib/BaseHTTPServer.py index 27ac513..722b50c 100644 --- a/Lib/BaseHTTPServer.py +++ b/Lib/BaseHTTPServer.py @@ -89,6 +89,8 @@ DEFAULT_ERROR_MESSAGE = """\ </body> """ +def _quote_html(html): + return html.replace("&", "&").replace("<", "<").replace(">", ">") class HTTPServer(SocketServer.TCPServer): @@ -336,8 +338,9 @@ class BaseHTTPRequestHandler(SocketServer.StreamRequestHandler): message = short explain = long self.log_error("code %d, message %s", code, message) + # using _quote_html to prevent Cross Site Scripting attacks (see bug #1100201) content = (self.error_message_format % - {'code': code, 'message': message, 'explain': explain}) + {'code': code, 'message': _quote_html(message), 'explain': explain}) self.send_response(code, message) self.send_header("Content-Type", "text/html") self.send_header('Connection', 'close') |