From 5de3e50959f013adebcc67d3305eb5da1ca8198f Mon Sep 17 00:00:00 2001 From: Reyk Floeter Date: Tue, 21 Oct 2014 13:00:34 +0000 Subject: Rework the error message a little bit: Do not send details of the error. Traditionally, web servers responsed with the request path on 40x errors which could be abused to inject JavaScript etc. Instead of sanitizing the path, we just don't reprint it. Also modify the style a little bit but keep Comic Sans. With input from Jonas Lindemann and doug@ --- usr.sbin/httpd/server_file.c | 4 ++-- usr.sbin/httpd/server_http.c | 24 ++++++++++++++---------- 2 files changed, 16 insertions(+), 12 deletions(-) (limited to 'usr.sbin/httpd') diff --git a/usr.sbin/httpd/server_file.c b/usr.sbin/httpd/server_file.c index ef337e7ccb1..1dc60398614 100644 --- a/usr.sbin/httpd/server_file.c +++ b/usr.sbin/httpd/server_file.c @@ -1,4 +1,4 @@ -/* $OpenBSD: server_file.c,v 1.37 2014/10/02 19:22:43 reyk Exp $ */ +/* $OpenBSD: server_file.c,v 1.38 2014/10/21 13:00:33 reyk Exp $ */ /* * Copyright (c) 2006 - 2014 Reyk Floeter @@ -311,7 +311,7 @@ server_file_index(struct httpd *env, struct client *clt, struct stat *st) /* A CSS stylesheet allows minimal customization by the user */ style = "body { background-color: white; color: black; font-family: " - "sans-serif; }"; + "sans-serif; }\nhr { border: 0; border-bottom: 1px dashed; }\n"; /* Generate simple HTML index document */ if (evbuffer_add_printf(evb, " @@ -689,9 +689,6 @@ server_abort_http(struct client *clt, u_int code, const char *msg) /* Do not send details of the Internal Server Error */ switch (code) { - case 500: - /* Do not send details of the Internal Server Error */ - break; case 301: case 302: if (asprintf(&extraheader, "Location: %s\r\n", msg) == -1) { @@ -700,13 +697,20 @@ server_abort_http(struct client *clt, u_int code, const char *msg) } break; default: - text = msg; + /* + * Do not send details of the error. Traditionally, + * web servers responsed with the request path on 40x + * errors which could be abused to inject JavaScript etc. + * Instead of sanitizing the path here, we just don't + * reprint it. + */ break; } /* A CSS stylesheet allows minimal customization by the user */ style = "body { background-color: white; color: black; font-family: " - "'Comic Sans MS', 'Chalkboard SE', 'Comic Neue', sans-serif; }"; + "'Comic Sans MS', 'Chalkboard SE', 'Comic Neue', sans-serif; }\n" + "hr { border: 0; border-bottom: 1px dashed; }\n"; /* Generate simple HTTP+HTML error document */ if (asprintf(&httpmsg, "HTTP/1.0 %03d %s\r\n" @@ -724,15 +728,15 @@ server_abort_http(struct client *clt, u_int code, const char *msg) "\n" "\n" "\n" - "

%s

\n" + "

%03d %s

\n" "
%s
\n" - "
%s at %s port %d
\n" + "
\n
%s
\n" "\n" "\n", code, httperr, tmbuf, HTTPD_SERVERNAME, extraheader == NULL ? "" : extraheader, - code, httperr, style, httperr, text, - HTTPD_SERVERNAME, hbuf, ntohs(srv_conf->port)) == -1) + code, httperr, style, code, httperr, text, + HTTPD_SERVERNAME) == -1) goto done; /* Dump the message without checking for success */ -- cgit v1.2.3