From: Brian Warner Date: Thu, 23 Aug 2007 00:35:01 +0000 (-0700) Subject: web: replace FILE links with /uri -based ones, to prevent an XSS attack against the... X-Git-Url: https://git.rkrishnan.org/pf/content/%22file:/?a=commitdiff_plain;h=f3353ee5e4c38a5f855850ce64e324351d4c7547;p=tahoe-lafs%2Ftahoe-lafs.git web: replace FILE links with /uri -based ones, to prevent an XSS attack against the secret vdrive URI contained in the current URL --- diff --git a/src/allmydata/test/test_web.py b/src/allmydata/test/test_web.py index 74fcec6d..6587d74a 100644 --- a/src/allmydata/test/test_web.py +++ b/src/allmydata/test/test_web.py @@ -646,7 +646,10 @@ class Web(WebMixin, unittest.TestCase): # the addSlash means we get a redirect here d = self.GET("/vdrive/global/foo", followRedirect=True) def _check(res): - self.failUnless(re.search(r'bar.txt' + # the FILE reference points to a URI, but it should end in bar.txt + self.failUnless(re.search(r'' + 'bar.txt' + '' '\s+FILE' '\s+123' , res)) diff --git a/src/allmydata/webish.py b/src/allmydata/webish.py index 76bcf8d4..52c5ffe3 100644 --- a/src/allmydata/webish.py +++ b/src/allmydata/webish.py @@ -167,22 +167,29 @@ class Directory(rend.Page): ctx.fillSlots("rename", rename) # build the base of the uri_link link url - uri_link = urllib.quote(target.get_uri().replace("/", "!")) + uri_link = "/uri/" + urllib.quote(target.get_uri().replace("/", "!")) if IFileNode.providedBy(target): # file - dlurl = urllib.quote(name) + + # add the filename to the uri_link url + uri_link += '?%s' % (urllib.urlencode({'filename': name}),) + + # to prevent javascript in displayed .html files from stealing a + # secret vdrive URI from the URL, send the browser to a URI-based + # page that doesn't know about the vdrive at all + #dlurl = urllib.quote(name) + dlurl = uri_link + ctx.fillSlots("filename", T.a(href=dlurl)[html.escape(name)]) ctx.fillSlots("type", "FILE") ctx.fillSlots("size", target.get_size()) - text_plain_link = "/uri/%s?filename=foo.txt" % uri_link + text_plain_link = uri_link + "?filename=foo.txt" text_plain_tag = T.a(href=text_plain_link)["text/plain"] - # if we're a file, add the filename to the uri_link url - uri_link += '?%s' % (urllib.urlencode({'filename': name}),) elif IDirectoryNode.providedBy(target): # directory @@ -202,7 +209,7 @@ class Directory(rend.Page): childdata = [T.a(href="%s?t=json" % name)["JSON"], ", ", T.a(href="%s?t=uri" % name)["URI"], ", ", T.a(href="%s?t=readonly-uri" % name)["readonly-URI"], ", ", - T.a(href="/uri/%s" % uri_link)["URI-link"], + T.a(href=uri_link)["URI-link"], ] if text_plain_tag: childdata.extend([", ", text_plain_tag])