diff options
| author | Will Coster <willcoster@google.com> | 2016-03-31 10:22:29 -0700 |
|---|---|---|
| committer | Will Coster <willcoster@google.com> | 2016-03-31 10:22:29 -0700 |
| commit | 55bffe1782fc04697da4f76d5b8d0d1bd1636862 (patch) | |
| tree | a827bb2b3fdc1c0eb1e5a3f62264091f952f5e4a | |
| parent | f1c5721c8c6bd2fea1e9f2c0c6fdea099c9ae3de (diff) | |
| download | mitmproxy-55bffe1782fc04697da4f76d5b8d0d1bd1636862.tar.gz mitmproxy-55bffe1782fc04697da4f76d5b8d0d1bd1636862.tar.bz2 mitmproxy-55bffe1782fc04697da4f76d5b8d0d1bd1636862.zip | |
Fix XSS vulnerability in HTTP errors
The make_error_response method does not properly escape characters
that end up in the response body. Since the error code can contain
user supplied values this leads to a potential XSS vulnerability.
Example:
echo '<script>alert(1)</script>' | nc localhost 8888
| -rw-r--r-- | mitmproxy/models/http.py | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/mitmproxy/models/http.py b/mitmproxy/models/http.py index 40460182..f3d425aa 100644 --- a/mitmproxy/models/http.py +++ b/mitmproxy/models/http.py @@ -1,5 +1,6 @@ from __future__ import (absolute_import, print_function, division) from six.moves import http_cookies as Cookie +import cgi import copy import warnings from email.utils import parsedate_tz, formatdate, mktime_tz @@ -429,7 +430,7 @@ def make_error_response(status_code, message, headers=None): </head> <body>%s</body> </html> - """.strip() % (status_code, response, message) + """.strip() % (status_code, response, cgi.escape(message)) body = body.encode("utf8", "replace") if not headers: |