Changeset 26539 for main

Show
Ignore:
Timestamp:
28.11.2012 18:35:47 (7 years ago)
Author:
ak19
Message:

Code to URL encode special characters in cgi-params to mitigate more obvious script injections into the page or the log.

Files:
1 modified

Legend:

Unmodified
Added
Removed
  • main/trunk/greenstone2/runtime-src/src/recpt/cgiutils.cpp

    r22942 r26539  
    329329} 
    330330 
     331// Ensure dangerous tags and chars in cgi-args are URL encoded, to prevent obvious XSS attempts 
     332// (e.g. c=<script>alert("hacked")</script>) and log poisoning (apache writes unrecognised URLs 
     333// into log. If the user entered c=garbage <?php ...> in the URL, it gets written out into the 
     334// apache log and that log file can be included in a local file inclusion (LFI) or  
     335// remote file include (RFI) attack. 
     336// This function encodes <>, &, ", ', / which are scripting chars or chars which can be used to 
     337// break out of an html/XML/javascript context. 
     338void safe_cgi_arg (text_t &argstr) { 
     339  text_t::iterator in = argstr.begin(); 
     340  text_t out = ""; 
     341  text_t::iterator end = argstr.end(); 
     342   
     343  while (in != end) { 
     344    if (*in == '<') out += "%3C"; 
     345    else if (*in == '>') out += "%3E"; 
     346    else if (*in == '&') out += "%26"; 
     347    else if (*in == '\"') out += "%22"; 
     348    else if (*in == '\'') out += "%27"; 
     349    else if (*in == '/') out += "%2F"; 
     350    else { // append whatever char is in *in, but as a char, not int 
     351            //out += *in; // appends as int 
     352      out += " "; // append placeholder character 
     353      out[out.size()-1] = *in; // now set location containing placeholder to what's in *in 
     354    } 
     355    ++in; 
     356  } 
     357   
     358  argstr.erase (argstr.begin(), end); 
     359  argstr += out;   
     360} 
    331361 
    332362// split up the cgi arguments 
     
    347377    // convert %xx and + to their appropriate equivalents 
    348378    decode_cgi_arg (value); 
     379 
     380    safe_cgi_arg(value); // mitigate obvious cross-site scripting hacks in URL cgi-params 
     381 
    349382    value.setencoding(1); // other encoding 
    350383    // store this key=value pair