[Python-checkins] python/dist/src/Lib BaseHTTPServer.py,1.29,1.30
birkenfeld@users.sourceforge.net
birkenfeld at users.sourceforge.net
Sun Jun 26 23:33:24 CEST 2005
Update of /cvsroot/python/python/dist/src/Lib
In directory sc8-pr-cvs1.sourceforge.net:/tmp/cvs-serv21516/Lib
Modified Files:
BaseHTTPServer.py
Log Message:
bug [ 1100201 ] Cross-site scripting on BaseHTTPServer
Index: BaseHTTPServer.py
===================================================================
RCS file: /cvsroot/python/python/dist/src/Lib/BaseHTTPServer.py,v
retrieving revision 1.29
retrieving revision 1.30
diff -u -d -r1.29 -r1.30
--- BaseHTTPServer.py 12 Feb 2004 17:35:05 -0000 1.29
+++ BaseHTTPServer.py 26 Jun 2005 21:33:14 -0000 1.30
@@ -89,6 +89,8 @@
</body>
"""
+def _quote_html(html):
+ return html.replace("&", "&").replace("<", "<").replace(">", ">")
class HTTPServer(SocketServer.TCPServer):
@@ -336,8 +338,9 @@
message = short
explain = long
self.log_error("code %d, message %s", code, message)
+ # using _quote_html to prevent Cross Site Scripting attacks (see bug #1100201)
content = (self.error_message_format %
- {'code': code, 'message': message, 'explain': explain})
+ {'code': code, 'message': _quote_html(message), 'explain': explain})
self.send_response(code, message)
self.send_header("Content-Type", "text/html")
self.send_header('Connection', 'close')
More information about the Python-checkins
mailing list