libexec/httpd: fix cross-site scripting in Lua example

curl \ --header 'NAME<x>: <y>' \ 'http://127.0.0.1:8080/test/printenv?<b>=<i>'
2021-02-28 16:10:00 +00:00 · 2021-02-28 16:10:00 +00:00 · 95f34171ac
parent a75e3514c2
commit 95f34171ac
1 changed files with 9 additions and 5 deletions
--- a/libexec/httpd/printenv.lua
+++ b/libexec/httpd/printenv.lua
@ -1,4 +1,4 @@
-- $NetBSD: printenv.lua,v 1.4 2020/08/25 20:02:33 leot Exp $
+-- $NetBSD: printenv.lua,v 1.5 2021/02/28 16:10:00 rillig Exp $

 -- this small Lua script demonstrates the use of Lua in (bozo)httpd
 -- it will simply output the "environment"
@ -14,6 +14,10 @@

 local httpd = require 'httpd'

+function escape_html(s)
+  return s:gsub('&', '&amp;'):gsub('<', '&lt;'):gsub('>', '&gt;'):gsub('"', '&quot;')
+end
+
 function printenv(env, headers, query)

 	-- we get the "environment" in the env table, the values are more
@ -40,18 +44,18 @@ function printenv(env, headers, query)
 	httpd.print('<h2>Server Environment</h2>')
 	-- print the list of "environment" variables
 	for k, v in pairs(env) do
-		httpd.print(k .. '=' .. v .. '<br/>')
+		httpd.print(escape_html(k) .. '=' .. escape_html(v) .. '<br/>')
 	end

 	httpd.print('<h2>Request Headers</h2>')
 	for k, v in pairs(headers) do
-		httpd.print(k .. '=' .. v .. '<br/>')
+		httpd.print(escape_html(k) .. '=' .. escape_html(v) .. '<br/>')
 	end

 	if query ~= nil then
 		httpd.print('<h2>Query Variables</h2>')
 		for k, v in pairs(query) do
-			httpd.print(k .. '=' .. v .. '<br/>')
+			httpd.print(escape_html(k) .. '=' .. escape_html(v) .. '<br/>')
 		end
 	end

@ -83,7 +87,7 @@ function form(env, header, query)
 		end

 		for k, v in pairs(query) do
-			httpd.print(k .. '=' .. v .. '<br/>')
+			httpd.print(escape_html(k) .. '=' .. escape_html(v) .. '<br/>')
 		end
 	else
 		httpd.print('No values')