commit: c46d755909b8f5cb366ef1b9bf20647eca3724bc
parent 1923e07dd5600359e60cd6bcb4ee202e5f5bf4a3
Author: Haelwenn (lanodan) Monnier <contact@hacktivis.me>
Date: Wed, 11 Nov 2020 09:04:05 +0100
nginx/02 custom autoindex.patch: Do html escaping to avoid XSS
Diffstat:
1 file changed, 15 insertions(+), 13 deletions(-)
diff --git a/patches/www-servers/nginx/02 custom autoindex.patch b/patches/www-servers/nginx/02 custom autoindex.patch
@@ -12,7 +12,7 @@ index 2af88a0..18c7570 100644
static ngx_buf_t *ngx_http_autoindex_html(ngx_http_request_t *r,
ngx_array_t *entries);
static ngx_buf_t *ngx_http_autoindex_json(ngx_http_request_t *r,
-@@ -478,7 +475,8 @@ ngx_http_autoindex_html(ngx_http_request_t *r, ngx_array_t *entries)
+@@ -476,7 +475,8 @@ ngx_http_autoindex_html(ngx_http_request_t *r, ngx_array_t *entries)
+ sizeof(header) - 1
+ r->uri.len + escape_html
+ sizeof("</h1>") - 1
@@ -22,24 +22,21 @@ index 2af88a0..18c7570 100644
+ sizeof("</pre><hr>") - 1
+ sizeof(tail) - 1;
-@@ -499,14 +497,12 @@ ngx_http_autoindex_html(ngx_http_request_t *r, ngx_array_t *entries)
- }
-
- entry_len = sizeof("<a href=\"") - 1
-- + entry[i].name.len + entry[i].escape
-+ + entry[i].name.len
+@@ -498,12 +498,11 @@ ngx_http_autoindex_html(ngx_http_request_t *r, ngx_array_t *entries)
+ + entry[i].name.len + entry[i].escape
+ 1 /* 1 is for "/" */
+ sizeof("\">") - 1
- + entry[i].name.len - entry[i].utf_len
-- + entry[i].escape_html
-- + NGX_HTTP_AUTOINDEX_NAME_LEN + sizeof(">") - 2
+ + entry[i].utf_len
+ + entry[i].escape_html
+- + NGX_HTTP_AUTOINDEX_NAME_LEN + sizeof(">") - 2
+ sizeof("</a>") - 1
+ sizeof(" 28-Sep-1970 12:00 ") - 1
- + 20 /* the file size */
+ + 256 /* the file size */
+ 2;
+ if (len > NGX_MAX_SIZE_T_VALUE - entry_len) {
@@ -531,14 +527,14 @@ ngx_http_autoindex_html(ngx_http_request_t *r, ngx_array_t *entries)
b->last = ngx_cpymem(b->last, "</h1>", sizeof("</h1>") - 1);
@@ -58,12 +55,12 @@ index 2af88a0..18c7570 100644
if (entry[i].escape) {
ngx_escape_uri(b->last, entry[i].name.data, entry[i].name.len,
-@@ -558,69 +554,19 @@ ngx_http_autoindex_html(ngx_http_request_t *r, ngx_array_t *entries)
+@@ -558,69 +556,27 @@ ngx_http_autoindex_html(ngx_http_request_t *r, ngx_array_t *entries)
*b->last++ = '"';
*b->last++ = '>';
-- len = entry[i].utf_len;
--
+ len = entry[i].utf_len;
+
- if (entry[i].name.len != len) {
- if (len > NGX_HTTP_AUTOINDEX_NAME_LEN) {
- char_len = NGX_HTTP_AUTOINDEX_NAME_LEN - 3 + 1;
@@ -75,6 +72,7 @@ index 2af88a0..18c7570 100644
- last = b->last;
- b->last = ngx_utf8_cpystrn(b->last, entry[i].name.data,
- char_len, entry[i].name.len + 1);
++ last = b->last;
+ b->last = ngx_cpymem(b->last, entry[i].name.data,
+ entry[i].name.len);
@@ -82,7 +80,11 @@ index 2af88a0..18c7570 100644
- b->last = (u_char *) ngx_escape_html(last, entry[i].name.data,
- b->last - last);
- }
--
++ if (entry[i].escape_html) {
++ b->last = (u_char *) ngx_escape_html(last, entry[i].name.data,
++ b->last - last);
++ }
+
- last = b->last;
-
- } else {
