[src/trunk]: src/libexec/httpd libexec/httpd: fix cross-site scripting in Lua...

[rillig <rillig%NetBSD.org@localhost>]

details:   https://anonhg.NetBSD.org/src/rev/095b8c8b08bf
branches:  trunk
changeset: 959902:095b8c8b08bf
user:      rillig <rillig%NetBSD.org@localhost>
date:      Sun Feb 28 16:10:00 2021 +0000

description:
libexec/httpd: fix cross-site scripting in Lua example

curl \
  --header 'NAME<x>: <y>' \
  'http://127.0.0.1:8080/test/printenv?<b>=<i>'

diffstat:

 libexec/httpd/printenv.lua |  14 +++++++++-----
 1 files changed, 9 insertions(+), 5 deletions(-)

diffs (51 lines):

diff -r 18a328518f43 -r 095b8c8b08bf libexec/httpd/printenv.lua
--- a/libexec/httpd/printenv.lua        Sun Feb 28 12:45:47 2021 +0000
+++ b/libexec/httpd/printenv.lua        Sun Feb 28 16:10:00 2021 +0000
@@ -1,4 +1,4 @@
--- $NetBSD: printenv.lua,v 1.4 2020/08/25 20:02:33 leot Exp $
+-- $NetBSD: printenv.lua,v 1.5 2021/02/28 16:10:00 rillig Exp $
 
 -- this small Lua script demonstrates the use of Lua in (bozo)httpd
 -- it will simply output the "environment"
@@ -14,6 +14,10 @@
 
 local httpd = require 'httpd'
 
+function escape_html(s)
+  return s:gsub('&', '&amp;'):gsub('<', '&lt;'):gsub('>', '&gt;'):gsub('"', '&quot;')
+end
+
 function printenv(env, headers, query)
 
        -- we get the "environment" in the env table, the values are more
@@ -40,18 +44,18 @@
        httpd.print('<h2>Server Environment</h2>')
        -- print the list of "environment" variables
        for k, v in pairs(env) do
-               httpd.print(k .. '=' .. v .. '<br/>')
+               httpd.print(escape_html(k) .. '=' .. escape_html(v) .. '<br/>')
        end
 
        httpd.print('<h2>Request Headers</h2>')
        for k, v in pairs(headers) do
-               httpd.print(k .. '=' .. v .. '<br/>')
+               httpd.print(escape_html(k) .. '=' .. escape_html(v) .. '<br/>')
        end
 
        if query ~= nil then
                httpd.print('<h2>Query Variables</h2>')
                for k, v in pairs(query) do
-                       httpd.print(k .. '=' .. v .. '<br/>')
+                       httpd.print(escape_html(k) .. '=' .. escape_html(v) .. '<br/>')
                end
        end
 
@@ -83,7 +87,7 @@
                end
 
                for k, v in pairs(query) do
-                       httpd.print(k .. '=' .. v .. '<br/>')
+                       httpd.print(escape_html(k) .. '=' .. escape_html(v) .. '<br/>')
                end
        else
                httpd.print('No values')