[cpif] r51 - trunk/frontend-web

svn at argo.es svn at argo.es
Fri May 18 15:38:31 CEST 2007 

Author: jcea
Date: Fri May 18 15:38:30 2007
New Revision: 51

Log:
Indicamos un "charset" y "escapamos" los caracteres
HTML especiales, para evitar ataques XSS.

El codigo actual no elimina todas las posibilidades
futuras. Por ejemplo, habria que filtrar los
siguientes caracteres: <, >, &, " y ', cosa que el
codigo actual no hace (aun) porque de momento no
es necesario.



Modified:
   trunk/frontend-web/servidor_web.py
   trunk/frontend-web/url_.py
   trunk/frontend-web/url_INVALIDA.py
   trunk/frontend-web/url_hilo.py
   trunk/frontend-web/url_nuevo_hilo_POST.py
   trunk/frontend-web/url_nuevo_post_POST.py
   trunk/frontend-web/url_stop.py

Modified: trunk/frontend-web/servidor_web.py
==============================================================================
--- trunk/frontend-web/servidor_web.py	(original)
+++ trunk/frontend-web/servidor_web.py	Fri May 18 15:38:30 2007
@@ -15,7 +15,7 @@
       usuarios=[i["nick"] for i in conn.get_root()["usuarios"]["usuarios"].values()]
       texto=["<p><li><a href='/%s'>%s</a>" %(i,i) for i in usuarios]
 
-      return (200,"text/html",
+      return (200,"text/html; charset=utf-8",
 """
 <html><head></head>
 <body><h1>Elige el usuario</h1>
@@ -42,7 +42,7 @@
             resultado=urls["INVALIDA"](self,path,usuario)
       except :
         self.send_response(500)
-        self.send_header("Content-Type","text/plain")
+        self.send_header("Content-Type","text/plain; charset=utf-8")
         self.end_headers()
         import traceback
         self.wfile.write(traceback.format_exc())

Modified: trunk/frontend-web/url_.py
==============================================================================
--- trunk/frontend-web/url_.py	(original)
+++ trunk/frontend-web/url_.py	Fri May 18 15:38:30 2007
@@ -61,7 +61,7 @@
 
   import calendario
 
-  return(200,"text/html",
+  return(200,"text/html; charset=utf-8",
 """
 <html><head><title>P&aacute;gina principal</title></head><body>
 <style>

Modified: trunk/frontend-web/url_INVALIDA.py
==============================================================================
--- trunk/frontend-web/url_INVALIDA.py	(original)
+++ trunk/frontend-web/url_INVALIDA.py	Fri May 18 15:38:30 2007
@@ -3,5 +3,5 @@
 from globales import monitor
 
 def gestiona_url(handler,path,usuario) :
-  return (401,"text/html","La URL introducida es incorrecta")
+  return (401,"text/html; charset=utf-8","La URL introducida es incorrecta")
 

Modified: trunk/frontend-web/url_hilo.py
==============================================================================
--- trunk/frontend-web/url_hilo.py	(original)
+++ trunk/frontend-web/url_hilo.py	Fri May 18 15:38:30 2007
@@ -23,7 +23,7 @@
     texto.append("<div class='%s'><a name='%s'><p>Autor: %s - fecha: %s</a>" %(estilo,msg_num,autor,time.ctime(TS)))
     texto.append("<p>%s</div>" %cuerpo)
 
-  return(200,"text/html",
+  return(200,"text/html; charset=utf-8",
 """
 <html><head></head><body>
 <style>

Modified: trunk/frontend-web/url_nuevo_hilo_POST.py
==============================================================================
--- trunk/frontend-web/url_nuevo_hilo_POST.py	(original)
+++ trunk/frontend-web/url_nuevo_hilo_POST.py	Fri May 18 15:38:30 2007
@@ -7,8 +7,8 @@
   import cgi
   ctype,pdict=cgi.parse_header(handler.headers.getheader('content-type'))
   cuerpo=cgi.FieldStorage(fp=handler.rfile,headers=handler.headers,environ={'REQUEST_METHOD':'POST'},keep_blank_values=1)
-  titulo=cuerpo.getfirst("titulo")
-  texto=cuerpo.getfirst("texto")
+  titulo=cgi.escape(cuerpo.getfirst("titulo"))
+  texto=cgi.escape(cuerpo.getfirst("texto"))
   texto=texto.replace("\r","").replace("\n","<br>\r\n")
   import database
   database.mensaje_add(conn,texto,usuario,titulo=titulo)

Modified: trunk/frontend-web/url_nuevo_post_POST.py
==============================================================================
--- trunk/frontend-web/url_nuevo_post_POST.py	(original)
+++ trunk/frontend-web/url_nuevo_post_POST.py	Fri May 18 15:38:30 2007
@@ -9,7 +9,7 @@
   import cgi
   ctype,pdict=cgi.parse_header(handler.headers.getheader('content-type'))
   cuerpo=cgi.FieldStorage(fp=handler.rfile,headers=handler.headers,environ={'REQUEST_METHOD':'POST'},keep_blank_values=1)
-  texto=cuerpo.getfirst("texto")
+  texto=cgi.escape(cuerpo.getfirst("texto"))
   texto=texto.replace("\r","").replace("\n","<br>\r\n")
   import database
   database.mensaje_add(conn,texto,usuario,hilo=hilo)

Modified: trunk/frontend-web/url_stop.py
==============================================================================
--- trunk/frontend-web/url_stop.py	(original)
+++ trunk/frontend-web/url_stop.py	Fri May 18 15:38:30 2007
@@ -5,7 +5,7 @@
 def gestiona_url(handler,path,usuario) :
   handler.must_stop=True
 
-  return (200,"text/html",
+  return (200,"text/html; charset=utf-8",
 """
 <html><head></head><body>
 <h1>PARAMOS EL SERVICIO!!</h1>

More information about the cpif mailing list