Re: [hackers] [quark][PATCH] HTML-escape dirlist dynamic content

From: Laslo Hunhold <dev_AT_frign.de>
Date: Wed, 25 Mar 2020 15:34:04 +0100

On Tue, 10 Mar 2020 19:52:17 +0200
guysv <sviryguy_AT_gmail.com> wrote:

Dear guysv,

> Because ",',<,>,& are all valid unix filename characters,
> filenames containing those characters can glitch-out a dirlist
> response.
>
> A funny example would be:
> "><img src="blabla" onerror="alert(1)"
>
> This commit escapes dynamic input, and fixes the bug.

sorry for the late response and thanks for submitting this patch! I've
written a commit[0] reflecting your suggestion, but made some changes
in that I structured the different escapes in a struct-array and used
explicit offsets and memcpy() instead of strcat(). I didn't like that
we assumed the length of the destination to be sufficient (which it
was, but reusability is key), so I made it safe by checking the offsets
properly.

Now the dirlistings in quark are safe from XSS. Thanks again for your
input and thank you Hiltjo for your feedback!

With best regards

Laslo

[0]:https://git.suckless.org/quark/commit/48e74a598247f4b81e09a0f652faf15163f9f525.html
Received on Wed Mar 25 2020 - 15:34:04 CET

This archive was generated by hypermail 2.3.0 : Wed Mar 25 2020 - 15:48:37 CET