diff options
author | Jo-Philipp Wich <jow@openwrt.org> | 2010-11-13 13:50:54 +0000 |
---|---|---|
committer | Jo-Philipp Wich <jow@openwrt.org> | 2010-11-13 13:50:54 +0000 |
commit | 0aa85e71313390dd07e1a6fb8c4d87b62c1f69a6 (patch) | |
tree | 3c6cc3d7bf441bf8c81e97d9bd190afe7360bc55 /libs | |
parent | 5a03beffcb753780f3442ce3899713d08aeb0562 (diff) |
libs/web: stricter validation in build_url(), prevents some XSS
Diffstat (limited to 'libs')
-rw-r--r-- | libs/web/luasrc/dispatcher.lua | 22 |
1 files changed, 18 insertions, 4 deletions
diff --git a/libs/web/luasrc/dispatcher.lua b/libs/web/luasrc/dispatcher.lua index 8d5c02e607..451476202d 100644 --- a/libs/web/luasrc/dispatcher.lua +++ b/libs/web/luasrc/dispatcher.lua @@ -52,11 +52,25 @@ local fi -- @return Relative URL function build_url(...) local path = {...} - local sn = http.getenv("SCRIPT_NAME") or "" + local url = { http.getenv("SCRIPT_NAME") or "" } + + local k, v for k, v in pairs(context.urltoken) do - sn = sn .. "/;" .. k .. "=" .. http.urlencode(v) + url[#url+1] = "/;" + url[#url+1] = http.urlencode(k) + url[#url+1] = "=" + url[#url+1] = http.urlencode(v) end - return sn .. ((#path > 0) and "/" .. table.concat(path, "/") or "") + + local p + for _, p in ipairs(path) do + if p:match("^[a-zA-Z0-9_%-%./,;]+$") then + url[#url+1] = "/" + url[#url+1] = p + end + end + + return table.concat(url, "") end --- Send a 404 error code and render the "error404" template if available. @@ -181,7 +195,7 @@ function dispatch(request) for i, s in ipairs(request) do local tkey, tval if t then - tkey, tval = s:match(";(%w+)=(.*)") + tkey, tval = s:match(";(%w+)=([a-fA-F0-9]*)") end if tkey then |