cgi: escape url in 403 error output

Escape the untrusted request URL input in the permission denied HTML output.

This fixes certain XSS vulnerabilities which can be leveraged to further
exploit the system.

Signed-off-by: Jo-Philipp Wich <jo@mein.io>

diff --git a/cgi.c b/cgi.c
index 0ffb1308c6141b5339a9fa41ac8f64c55f15266b..13a0bc480b633cbfdd2f10565595a2a33dd2367c 100644 (file)
--- a/cgi.c
+++ b/cgi.c
@@ -67,11 +67,18 @@ static void cgi_main(struct client *cl, struct path_info *pi, char *url)
 static void cgi_handle_request(struct client *cl, char *url, struct path_info *pi)
 {
        unsigned int mode = S_IFREG | S_IXOTH;
+       char *escaped_url;
 
        if (!pi->ip && !((pi->stat.st_mode & mode) == mode)) {
+               escaped_url = uh_htmlescape(url);
+
                uh_client_error(cl, 403, "Forbidden",
                                "You don't have permission to access %s on this server.",
-                               url);
+                               escaped_url ? escaped_url : "the url");
+
+               if (escaped_url)
+                       free(escaped_url);
+
                return;
        }