Issue #1067 new

Escape HTML in redirect pages

guest
created an issue

In CherryPy 3.1.2 and 3.2.0 (the 2 versions I checked), redirect pages return the HTML:

This resource can be found at <a href='http://example.com/whathaveyou'>http://example.com/whathaveyou</a>;

This HTML is not escaped, so you can go to an address along the lines of:

http://example.com/whathaveyou'><SCRIPT>alert(123)</SCRIPT>;

and find returned HTML:

This resource can be found at <a href='http://example.com/whathaveyou'><SCRIPT>alert(123)</SCRIPT>'>http://example.com/whathaveyou?'><SCRIPT>alert(123)</SCRIPT></a>;

This is a XSS issue.

Now, AFAIK no modern browser bothers loading code for and executing js in redirect pages, so this probably isn't a big vulnerability. But it may be one, so I thought I'd bring it to your attention.

I will attach a (slightly dirty) patch for 3.1.2 (dos-formatted).

Comments (4)

  1. Anonymous

    I'm not sure it's up to CherryPy to perform the escape but it's the developer's responsability.

  2. guest reporter

    OK, you may well be right.

    I'm new to CherryPy, and found this issue in one of the applications we use which uses it. If you do conclude that this is the case, I'll let the application developers know.

  3. Anonymous

    Basically CherryPy is a Python interface over HTTP. I assume you're using cherrypy.HTTPRedirect(url) where url might contain some "dangerous" code, but CherryPy isn't aware of what "dangerous" means in that case. In other words, it's up to your application developer to provide a "clean" url.

  4. Anonymous

    it is not always the developer firing the redirect. setting tools.trailing_slash.extra = True will cause a low lever redirect, which is out of the devs control. we have this option on, and have had to apply this patch as such to secure our product from this attack.

  5. Log in to comment