summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--usr.sbin/httpd/server_file.c4
-rw-r--r--usr.sbin/httpd/server_http.c24
2 files changed, 16 insertions, 12 deletions
diff --git a/usr.sbin/httpd/server_file.c b/usr.sbin/httpd/server_file.c
index ef337e7ccb1..1dc60398614 100644
--- a/usr.sbin/httpd/server_file.c
+++ b/usr.sbin/httpd/server_file.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: server_file.c,v 1.37 2014/10/02 19:22:43 reyk Exp $ */
+/* $OpenBSD: server_file.c,v 1.38 2014/10/21 13:00:33 reyk Exp $ */
/*
* Copyright (c) 2006 - 2014 Reyk Floeter <reyk@openbsd.org>
@@ -311,7 +311,7 @@ server_file_index(struct httpd *env, struct client *clt, struct stat *st)
/* A CSS stylesheet allows minimal customization by the user */
style = "body { background-color: white; color: black; font-family: "
- "sans-serif; }";
+ "sans-serif; }\nhr { border: 0; border-bottom: 1px dashed; }\n";
/* Generate simple HTML index document */
if (evbuffer_add_printf(evb,
"<!DOCTYPE HTML PUBLIC "
diff --git a/usr.sbin/httpd/server_http.c b/usr.sbin/httpd/server_http.c
index 563f50d0365..6632b105a59 100644
--- a/usr.sbin/httpd/server_http.c
+++ b/usr.sbin/httpd/server_http.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: server_http.c,v 1.51 2014/09/29 19:30:47 deraadt Exp $ */
+/* $OpenBSD: server_http.c,v 1.52 2014/10/21 13:00:33 reyk Exp $ */
/*
* Copyright (c) 2006 - 2014 Reyk Floeter <reyk@openbsd.org>
@@ -689,9 +689,6 @@ server_abort_http(struct client *clt, u_int code, const char *msg)
/* Do not send details of the Internal Server Error */
switch (code) {
- case 500:
- /* Do not send details of the Internal Server Error */
- break;
case 301:
case 302:
if (asprintf(&extraheader, "Location: %s\r\n", msg) == -1) {
@@ -700,13 +697,20 @@ server_abort_http(struct client *clt, u_int code, const char *msg)
}
break;
default:
- text = msg;
+ /*
+ * Do not send details of the error. Traditionally,
+ * web servers responsed with the request path on 40x
+ * errors which could be abused to inject JavaScript etc.
+ * Instead of sanitizing the path here, we just don't
+ * reprint it.
+ */
break;
}
/* A CSS stylesheet allows minimal customization by the user */
style = "body { background-color: white; color: black; font-family: "
- "'Comic Sans MS', 'Chalkboard SE', 'Comic Neue', sans-serif; }";
+ "'Comic Sans MS', 'Chalkboard SE', 'Comic Neue', sans-serif; }\n"
+ "hr { border: 0; border-bottom: 1px dashed; }\n";
/* Generate simple HTTP+HTML error document */
if (asprintf(&httpmsg,
"HTTP/1.0 %03d %s\r\n"
@@ -724,15 +728,15 @@ server_abort_http(struct client *clt, u_int code, const char *msg)
"<style type=\"text/css\"><!--\n%s\n--></style>\n"
"</head>\n"
"<body>\n"
- "<h1>%s</h1>\n"
+ "<h1>%03d %s</h1>\n"
"<div id='m'>%s</div>\n"
- "<hr><address>%s at %s port %d</address>\n"
+ "<hr>\n<address>%s</address>\n"
"</body>\n"
"</html>\n",
code, httperr, tmbuf, HTTPD_SERVERNAME,
extraheader == NULL ? "" : extraheader,
- code, httperr, style, httperr, text,
- HTTPD_SERVERNAME, hbuf, ntohs(srv_conf->port)) == -1)
+ code, httperr, style, code, httperr, text,
+ HTTPD_SERVERNAME) == -1)
goto done;
/* Dump the message without checking for success */