summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorReyk Floeter <reyk@cvs.openbsd.org>2014-10-21 13:00:34 +0000
committerReyk Floeter <reyk@cvs.openbsd.org>2014-10-21 13:00:34 +0000
commit5de3e50959f013adebcc67d3305eb5da1ca8198f (patch)
tree64562e366e143f0ee6a44b18eef9a0f2fb0c6326
parente75da720bf10857a1d0b8ca1d4134d92184a4454 (diff)
Rework the error message a little bit: Do not send details of the
error. Traditionally, web servers responsed with the request path on 40x errors which could be abused to inject JavaScript etc. Instead of sanitizing the path, we just don't reprint it. Also modify the style a little bit but keep Comic Sans. With input from Jonas Lindemann and doug@
-rw-r--r--usr.sbin/httpd/server_file.c4
-rw-r--r--usr.sbin/httpd/server_http.c24
2 files changed, 16 insertions, 12 deletions
diff --git a/usr.sbin/httpd/server_file.c b/usr.sbin/httpd/server_file.c
index ef337e7ccb1..1dc60398614 100644
--- a/usr.sbin/httpd/server_file.c
+++ b/usr.sbin/httpd/server_file.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: server_file.c,v 1.37 2014/10/02 19:22:43 reyk Exp $ */
+/* $OpenBSD: server_file.c,v 1.38 2014/10/21 13:00:33 reyk Exp $ */
/*
* Copyright (c) 2006 - 2014 Reyk Floeter <reyk@openbsd.org>
@@ -311,7 +311,7 @@ server_file_index(struct httpd *env, struct client *clt, struct stat *st)
/* A CSS stylesheet allows minimal customization by the user */
style = "body { background-color: white; color: black; font-family: "
- "sans-serif; }";
+ "sans-serif; }\nhr { border: 0; border-bottom: 1px dashed; }\n";
/* Generate simple HTML index document */
if (evbuffer_add_printf(evb,
"<!DOCTYPE HTML PUBLIC "
diff --git a/usr.sbin/httpd/server_http.c b/usr.sbin/httpd/server_http.c
index 563f50d0365..6632b105a59 100644
--- a/usr.sbin/httpd/server_http.c
+++ b/usr.sbin/httpd/server_http.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: server_http.c,v 1.51 2014/09/29 19:30:47 deraadt Exp $ */
+/* $OpenBSD: server_http.c,v 1.52 2014/10/21 13:00:33 reyk Exp $ */
/*
* Copyright (c) 2006 - 2014 Reyk Floeter <reyk@openbsd.org>
@@ -689,9 +689,6 @@ server_abort_http(struct client *clt, u_int code, const char *msg)
/* Do not send details of the Internal Server Error */
switch (code) {
- case 500:
- /* Do not send details of the Internal Server Error */
- break;
case 301:
case 302:
if (asprintf(&extraheader, "Location: %s\r\n", msg) == -1) {
@@ -700,13 +697,20 @@ server_abort_http(struct client *clt, u_int code, const char *msg)
}
break;
default:
- text = msg;
+ /*
+ * Do not send details of the error. Traditionally,
+ * web servers responsed with the request path on 40x
+ * errors which could be abused to inject JavaScript etc.
+ * Instead of sanitizing the path here, we just don't
+ * reprint it.
+ */
break;
}
/* A CSS stylesheet allows minimal customization by the user */
style = "body { background-color: white; color: black; font-family: "
- "'Comic Sans MS', 'Chalkboard SE', 'Comic Neue', sans-serif; }";
+ "'Comic Sans MS', 'Chalkboard SE', 'Comic Neue', sans-serif; }\n"
+ "hr { border: 0; border-bottom: 1px dashed; }\n";
/* Generate simple HTTP+HTML error document */
if (asprintf(&httpmsg,
"HTTP/1.0 %03d %s\r\n"
@@ -724,15 +728,15 @@ server_abort_http(struct client *clt, u_int code, const char *msg)
"<style type=\"text/css\"><!--\n%s\n--></style>\n"
"</head>\n"
"<body>\n"
- "<h1>%s</h1>\n"
+ "<h1>%03d %s</h1>\n"
"<div id='m'>%s</div>\n"
- "<hr><address>%s at %s port %d</address>\n"
+ "<hr>\n<address>%s</address>\n"
"</body>\n"
"</html>\n",
code, httperr, tmbuf, HTTPD_SERVERNAME,
extraheader == NULL ? "" : extraheader,
- code, httperr, style, httperr, text,
- HTTPD_SERVERNAME, hbuf, ntohs(srv_conf->port)) == -1)
+ code, httperr, style, code, httperr, text,
+ HTTPD_SERVERNAME) == -1)
goto done;
/* Dump the message without checking for success */