libexec/httpd: fix cross-site scripting in Lua example
curl \ --header 'NAME<x>: <y>' \ 'http://127.0.0.1:8080/test/printenv?<b>=<i>'
This commit is contained in:
parent
a75e3514c2
commit
95f34171ac
|
@ -1,4 +1,4 @@
|
|||
-- $NetBSD: printenv.lua,v 1.4 2020/08/25 20:02:33 leot Exp $
|
||||
-- $NetBSD: printenv.lua,v 1.5 2021/02/28 16:10:00 rillig Exp $
|
||||
|
||||
-- this small Lua script demonstrates the use of Lua in (bozo)httpd
|
||||
-- it will simply output the "environment"
|
||||
|
@ -14,6 +14,10 @@
|
|||
|
||||
local httpd = require 'httpd'
|
||||
|
||||
function escape_html(s)
|
||||
return s:gsub('&', '&'):gsub('<', '<'):gsub('>', '>'):gsub('"', '"')
|
||||
end
|
||||
|
||||
function printenv(env, headers, query)
|
||||
|
||||
-- we get the "environment" in the env table, the values are more
|
||||
|
@ -40,18 +44,18 @@ function printenv(env, headers, query)
|
|||
httpd.print('<h2>Server Environment</h2>')
|
||||
-- print the list of "environment" variables
|
||||
for k, v in pairs(env) do
|
||||
httpd.print(k .. '=' .. v .. '<br/>')
|
||||
httpd.print(escape_html(k) .. '=' .. escape_html(v) .. '<br/>')
|
||||
end
|
||||
|
||||
httpd.print('<h2>Request Headers</h2>')
|
||||
for k, v in pairs(headers) do
|
||||
httpd.print(k .. '=' .. v .. '<br/>')
|
||||
httpd.print(escape_html(k) .. '=' .. escape_html(v) .. '<br/>')
|
||||
end
|
||||
|
||||
if query ~= nil then
|
||||
httpd.print('<h2>Query Variables</h2>')
|
||||
for k, v in pairs(query) do
|
||||
httpd.print(k .. '=' .. v .. '<br/>')
|
||||
httpd.print(escape_html(k) .. '=' .. escape_html(v) .. '<br/>')
|
||||
end
|
||||
end
|
||||
|
||||
|
@ -83,7 +87,7 @@ function form(env, header, query)
|
|||
end
|
||||
|
||||
for k, v in pairs(query) do
|
||||
httpd.print(k .. '=' .. v .. '<br/>')
|
||||
httpd.print(escape_html(k) .. '=' .. escape_html(v) .. '<br/>')
|
||||
end
|
||||
else
|
||||
httpd.print('No values')
|
||||
|
|
Loading…
Reference in New Issue