Commits

Ian Bicking committed 49e69bf

Just a bit more paranoia in quoting comments, though I wasn't able to reproduce any actual issue

  • Participants
  • Parent commits 96c94ba

Comments (0)

Files changed (4)

File docs/news.txt

   :class:`paste.urlparser.StaticURLParser` and
   :class:`paste.urlmap.URLMap`.  If you ask for a path with
   ``/--><script>...`` that will be inserted in the error page and can
-  execute Javascript.  Reported by Tim Wintle.
+  execute Javascript.  Reported by Tim Wintle with further details
+  from Georg-Christian Pranschke.
 
 * Replaced :func:`paste.util.mimeparse.desired_match`
 

File paste/httpexceptions.py

 
     def plain(self, environ):
         """ text/plain representation of the exception """
-        body = self.make_body(environ, strip_html(self.template), comment_quote)
+        body = self.make_body(environ, strip_html(self.template), no_quote, comment_quote)
         return ('%s %s\r\n%s\r\n' % (self.code, self.title, body))
 
     def html(self, environ):

File paste/util/quoting.py

     return s
 
 _comment_quote_re = re.compile(r'\-\s*\>')
+# Everything but \r, \n, \t:
+_bad_chars_re = re.compile('[\x00-\x08\x0b-\x0c\x0e-\x1f]')
 def comment_quote(s):
     """
     Quote that makes sure text can't escape a comment
     """
-    return _comment_quote_re.sub('-&gt', str(s))
+    comment = str(s)
+    #comment = _bad_chars_re.sub('', comment)
+    #print 'in ', repr(str(s))
+    #print 'out', repr(comment)
+    comment = _comment_quote_re.sub('-&gt;', comment)
+    return comment
 
 url_quote = urllib.quote
 url_unquote = urllib.unquote

File tests/test_urlmap.py

     app = TestApp(mapper, extra_environ={'HTTP_ACCEPT': 'text/html'})
     res = app.get("/-->%0D<script>alert('xss')</script>", status=404)
     assert '--><script' not in res.body
+    res = app.get("/--%01><script>", status=404)
+    assert '--\x01><script>' not in res.body