summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorGeorg Brandl <georg@python.org>2005-06-26 21:33:14 (GMT)
committerGeorg Brandl <georg@python.org>2005-06-26 21:33:14 (GMT)
commita2aa1ac42b02e473a00cd1be225c750726869b41 (patch)
tree18859a3c524e927345a7e363ba54b04d094bb3ef
parent379f99dbc34db20d62e77175003a25a6ec22885b (diff)
downloadcpython-a2aa1ac42b02e473a00cd1be225c750726869b41.zip
cpython-a2aa1ac42b02e473a00cd1be225c750726869b41.tar.gz
cpython-a2aa1ac42b02e473a00cd1be225c750726869b41.tar.bz2
bug [ 1100201 ] Cross-site scripting on BaseHTTPServer
-rw-r--r--Lib/BaseHTTPServer.py5
1 files changed, 4 insertions, 1 deletions
diff --git a/Lib/BaseHTTPServer.py b/Lib/BaseHTTPServer.py
index 27ac513..722b50c 100644
--- a/Lib/BaseHTTPServer.py
+++ b/Lib/BaseHTTPServer.py
@@ -89,6 +89,8 @@ DEFAULT_ERROR_MESSAGE = """\
</body>
"""
+def _quote_html(html):
+ return html.replace("&", "&amp;").replace("<", "&lt;").replace(">", "&gt;")
class HTTPServer(SocketServer.TCPServer):
@@ -336,8 +338,9 @@ class BaseHTTPRequestHandler(SocketServer.StreamRequestHandler):
message = short
explain = long
self.log_error("code %d, message %s", code, message)
+ # using _quote_html to prevent Cross Site Scripting attacks (see bug #1100201)
content = (self.error_message_format %
- {'code': code, 'message': message, 'explain': explain})
+ {'code': code, 'message': _quote_html(message), 'explain': explain})
self.send_response(code, message)
self.send_header("Content-Type", "text/html")
self.send_header('Connection', 'close')