cgi_error_no_template(): Encode the template name to prevent XSS

author Fabian Keil <fk@fabiankeil.de>

Tue, 2 Nov 2021 11:11:37 +0000 (12:11 +0100)

committer Fabian Keil <fk@fabiankeil.de>

Tue, 7 Dec 2021 14:06:06 +0000 (15:06 +0100)
author Fabian Keil <fk@fabiankeil.de>
Tue, 2 Nov 2021 11:11:37 +0000 (12:11 +0100)
committer Fabian Keil <fk@fabiankeil.de>
Tue, 7 Dec 2021 14:06:06 +0000 (15:06 +0100)
diff --git a/cgi.c b/cgi.c

index cb1f072..e92f749 100644 (file)
--- a/cgi.c
+++ b/cgi.c
@@ -1199,7 +1199,8 @@ jb_err cgi_error_no_template(const struct client_state *csp,
        ").</p>\n"
        "</body>\n"
        "</html>\n";
-   const size_t body_size = strlen(body_prefix) + strlen(template_name) + strlen(body_suffix) + 1;
+   size_t body_size = strlen(body_prefix) + strlen(body_suffix) + 1;
+   const char *encoded_template_name;
  
     assert(csp);
     assert(rsp);
@@ -1213,9 +1214,17 @@ jb_err cgi_error_no_template(const struct client_state *csp,
     rsp->head_length = 0;
     rsp->is_static = 0;
  
+   encoded_template_name = html_encode(template_name);
+   if (encoded_template_name == NULL)
+   {
+      return JB_ERR_MEMORY;
+   }
+
+   body_size += strlen(encoded_template_name);
     rsp->body = malloc_or_die(body_size);
     strlcpy(rsp->body, body_prefix, body_size);
-   strlcat(rsp->body, template_name, body_size);
+   strlcat(rsp->body, encoded_template_name, body_size);
+   freez(encoded_template_name);
     strlcat(rsp->body, body_suffix, body_size);
  
     rsp->status = strdup(status);
author	Fabian Keil <fk@fabiankeil.de>
	Tue, 2 Nov 2021 11:11:37 +0000 (12:11 +0100)
committer	Fabian Keil <fk@fabiankeil.de>
	Tue, 7 Dec 2021 14:06:06 +0000 (15:06 +0100)