From 55bffe1782fc04697da4f76d5b8d0d1bd1636862 Mon Sep 17 00:00:00 2001 From: Will Coster Date: Thu, 31 Mar 2016 10:22:29 -0700 Subject: Fix XSS vulnerability in HTTP errors The make_error_response method does not properly escape characters that end up in the response body. Since the error code can contain user supplied values this leads to a potential XSS vulnerability. Example: echo '' | nc localhost 8888 --- mitmproxy/models/http.py | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/mitmproxy/models/http.py b/mitmproxy/models/http.py index 40460182..f3d425aa 100644 --- a/mitmproxy/models/http.py +++ b/mitmproxy/models/http.py @@ -1,5 +1,6 @@ from __future__ import (absolute_import, print_function, division) from six.moves import http_cookies as Cookie +import cgi import copy import warnings from email.utils import parsedate_tz, formatdate, mktime_tz @@ -429,7 +430,7 @@ def make_error_response(status_code, message, headers=None): %s - """.strip() % (status_code, response, message) + """.strip() % (status_code, response, cgi.escape(message)) body = body.encode("utf8", "replace") if not headers: -- cgit v1.2.3