[tahoe-dev] [tahoe-lafs] #1143: Double Encoding in HTML in File Names in WUI
tahoe-lafs
trac at tahoe-lafs.org
Sun Aug 1 05:00:32 UTC 2010
#1143: Double Encoding in HTML in File Names in WUI
---------------------+------------------------------------------------------
Reporter: chrisp | Owner: nobody
Type: defect | Status: new
Priority: major | Milestone: undecided
Component: unknown | Version: 1.7.1
Keywords: | Launchpad Bug:
---------------------+------------------------------------------------------
My file "zumby-bumby ; mail blaggy at mailinator.com < /etc/hosts" in the
pubgrid root http://pubgrid.tahoe-
lafs.org/uri/URI%3ADIR2%3Actmtx2awdo4xt77x5xxaz6nyxm%3An5t546ddvd6xlv4v6se6sjympbdbvo7orwizuzl42urm73sxazqa/
is listed as "zumby-bumby ; mail blaggy at mailinator.com < /etc/hosts" in
the listing.
That is, the < got converted to < and then that ampersand got converted
to &. Thus, we end up with <.
HTML entity-encoding is good because it can stop XSS, but be careful: it
increases the size of memory you have to allocate to handle the request.
Also, double-encoding is just plain incorrect. Single-encode, and place
limits on how much memory you will allocate to do the encoding. One way to
do this is to include input size limits as part of your input validation
framework.
--
Ticket URL: <http://tahoe-lafs.org/trac/tahoe-lafs/ticket/1143>
tahoe-lafs <http://tahoe-lafs.org>
secure decentralized storage
More information about the tahoe-dev
mailing list