Changeset 26539 for main/trunk/greenstone2/runtime-src/src

Timestamp:

2012-11-28T18:35:47+13:00 (11 years ago)

Author:

ak19

Message:

Code to URL encode special characters in cgi-params to mitigate more obvious script injections into the page or the log.

File:

• main/trunk/greenstone2/runtime-src/src/recpt/cgiutils.cpp (modified) (2 diffs)

main/trunk/greenstone2/runtime-src/src/recpt/cgiutils.cpp

@@ -329 +329 @@
 }
 
+// Ensure dangerous tags and chars in cgi-args are URL encoded, to prevent obvious XSS attempts
+// (e.g. c=<script>alert("hacked")</script>) and log poisoning (apache writes unrecognised URLs
+// into log. If the user entered c=garbage <?php ...> in the URL, it gets written out into the
+// apache log and that log file can be included in a local file inclusion (LFI) or 
+// remote file include (RFI) attack.
+// This function encodes <>, &, ", ', / which are scripting chars or chars which can be used to
+// break out of an html/XML/javascript context.
+void safe_cgi_arg (text_t &argstr) {
+  text_t::iterator in = argstr.begin();
+  text_t out = "";
+  text_t::iterator end = argstr.end();
+  
+  while (in != end) {
+    if (*in == '<') out += "%3C";
+    else if (*in == '>') out += "%3E";
+    else if (*in == '&') out += "%26";
+    else if (*in == '\"') out += "%22";
+    else if (*in == '\'') out += "%27";
+    else if (*in == '/') out += "%2F";
+    else { // append whatever char is in *in, but as a char, not int
+            //out += *in; // appends as int
+      out += " "; // append placeholder character
+      out[out.size()-1] = *in; // now set location containing placeholder to what's in *in
+    }
+    ++in;
+  }
+  
+  argstr.erase (argstr.begin(), end);
+  argstr += out;  
+}
 
 // split up the cgi arguments
@@ -347 +377 @@
     // convert %xx and + to their appropriate equivalents
     decode_cgi_arg (value);
+
+    safe_cgi_arg(value); // mitigate obvious cross-site scripting hacks in URL cgi-params
+
     value.setencoding(1); // other encoding
     // store this key=value pair