Prevent cross-site scripting

This commit is contained in:
Trustin Lee 2012-09-29 17:18:18 +09:00
parent 820af50b63
commit ce35386805

View File

@ -217,7 +217,8 @@ public class HttpStaticFileServerHandler extends ChannelInboundMessageHandlerAda
// You will have to do something serious in the production environment.
if (uri.contains(File.separator + ".") ||
uri.contains("." + File.separator) ||
uri.startsWith(".") || uri.endsWith(".")) {
uri.startsWith(".") || uri.endsWith(".") ||
uri.matches(".*[<>&\"].*")) {
return null;
}
@ -230,15 +231,16 @@ public class HttpStaticFileServerHandler extends ChannelInboundMessageHandlerAda
response.setHeader(CONTENT_TYPE, "text/html; charset=UTF-8");
StringBuilder buf = new StringBuilder();
String dirPath = dir.getPath();
buf.append("<!DOCTYPE html>\r\n");
buf.append("<html><head><title>");
buf.append("Listing of: ");
buf.append(dir.getPath());
buf.append(dirPath);
buf.append("</title></head><body>\r\n");
buf.append("<h3>Listing of: ");
buf.append(dir.getPath());
buf.append(dirPath);
buf.append("</h3>\r\n");
buf.append("<ul>");
@ -250,6 +252,9 @@ public class HttpStaticFileServerHandler extends ChannelInboundMessageHandlerAda
}
String name = f.getName();
if (!name.matches("[A-Za-z0-9][-_A-Za-z0-9\\.]*")) {
continue;
}
buf.append("<li><a href=\"");
buf.append(name);