[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
[Libevent-users] [evhttp] Prefer text/plain over text/html
- To: libevent-users <libevent-users@xxxxxxxx>
- Subject: [Libevent-users] [evhttp] Prefer text/plain over text/html
- From: Felix Nawothnig <felix.nawothnig@xxxxxxxxxxxxxx>
- Date: Sat, 29 May 2010 23:05:26 +0200
- Delivered-to: archiver@xxxxxxxx
- Delivered-to: libevent-users-outgoing@xxxxxxxx
- Delivered-to: libevent-users@xxxxxxxx
- Delivery-date: Sat, 29 May 2010 17:05:40 -0400
- Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlemail.com; s=gamma; h=domainkey-signature:received:received:subject:from:to:content-type :date:message-id:mime-version:x-mailer:content-transfer-encoding; bh=GTJh7bPue+alWO2A3r8iU2TTlDphdgihvIVDiqUHG4s=; b=Bp+kGuX8NpP8hcmHiSbOg6ZuWgqNIxVPbfYuU9fBEekXsjc2olahKy9Dgy2vs+FpAZ t54qVkwURS0BDndSNPbLu8sqNzo1IW5D4NpIwXvRo5KHnmB/AzzzILwswzA+HEpQQJni 1/sYMu8546OczzAv6YwDMDGF2F64EKAqbHxbQ=
- Domainkey-signature: a=rsa-sha1; c=nofws; d=googlemail.com; s=gamma; h=subject:from:to:content-type:date:message-id:mime-version:x-mailer :content-transfer-encoding; b=tz/0r65x8N2Wds0kDLegTUx8zDtGMkD6lnp5/+00Yn5SXatcPAQW/zFTHdRqbQuOCc AoAXcH2BsMdrAZYlo4HCwK3Kp8XL8xvV4bDhiKE3EBIEFxm4nVYsalWC31mS0a/47wLA RsExRMxs2wqQxAa4WIE+zjK19OsCA0TRAupqE=
- Reply-to: libevent-users@xxxxxxxxxxxxx
- Sender: owner-libevent-users@xxxxxxxxxxxxx
Hi.
While working on an HTML-escaping filter for my evhttp_send_reply_html()
something came to me...
The purpose of evhttp is to build something around a really minimalistic
httpd, possibly in the embedded world; so you want to report error
messages beyond the HTTP status code - and on the other hand you don't
want to participate your web-server in cross-site-scripting attacks, so
any HTML response must be properly escaped.
The only place where you have such a situation currently is in your 404
handler where you manually escape it, but even that is somewhat
unfortunate; low-memory conditions could make the escaping fail and you
could no longer actually report the first failure.
Now, it's a reasonable assumption that an application built on top of
evhttp will also have lots of cases where something went wrong and they
want to get out with an error-message. In my application there are lots
of code fragments like:
if(stm == NULL) {
evhttp_send_reply_html(req, 404,
"Stream %"PRIxPTR" not found", stream_id);
return;
}
if(stm->bev == NULL) {
evhttp_send_reply_html(req, 400,
"Stream not connected");
return;
}
if(bufferevent_write_buffer(stm->bev, req->input_buffer) < 0) {
evhttp_send_reply_html(req, 500,
"Writing to buffer failed");
return;
}
Granted, in these cases escaping is not an issue, but I have other
fragments where I put part of the input in the response - thereby
opening the world to XSS unless the response is escaped.
So my idea is - why not stick to text/plain in both evhttp_send_error
and my envisioned evhttp_send_reply_html? (which obviously would need
another name).
To further discourage developers to introduce format-string-related
vulnerabilities the functions should probably split into:
evhttp_send_reply_text(struct evhttp_request *req,
int code, const char *msg);
evhttp_send_reply_textf(struct evhttp_request *req,
int code, const char *fmt, ...);
As for the status phrase - I think it would be nicest to only include
it for non 2xx codes like:
$ curl http://127.0.0.1:8080/stream?action=foo
ERROR 400: Bad Request
Invalid action 'foo' specified
$
But:
$ curl http://127.0.0.1:8080/stream?action=create
20e7cf0
$
Just thinking out loud here... tell me what you think.
Cheers,
Felix
***********************************************************************
To unsubscribe, send an e-mail to majordomo@xxxxxxxxxxxxx with
unsubscribe libevent-users in the body.