Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add a "development" option to general settings #1230

Open
skinkie opened this issue Oct 27, 2019 · 0 comments
Open

Add a "development" option to general settings #1230

skinkie opened this issue Oct 27, 2019 · 0 comments
Assignees
@skinkie
Labels
t:enhancement

Comments

@skinkie
Copy link
Member

skinkie commented Oct 27, 2019

In #1223 a point is raised if our 400 status page should return the full output of a bad request. There could be pro and cons for this. But maybe we should make it either dynamically available or have it available when compiled with TRACE.
@skinkie skinkie self-assigned this Oct 27, 2019
skinkie added a commit that referenced this issue Oct 27, 2019
@skinkie
XSS vulnerability in handler_error via cherokee_buffer_add_escape_html
e603e2a 
In Issue #1223 LogicalTrust describes an XSS in the 400 page. When providing a buffer that contains a \0 char strpbrk will not be able to find characters afterwards.
This leads to the question: should we beable to return escaped sequences containing \0 values. Since the original function assumed those should not exists this code might guard for
it. But I do wonder if it is elegant enough to do so.

A subsequent question was raised if the 400 page should return "bad input" a discussion on this feature is started in #1230
@skinkie skinkie mentioned this issue Oct 27, 2019
Merged
skinkie added a commit that referenced this issue Nov 14, 2019
@skinkie
XSS vulnerability in handler_error via cherokee_buffer_add_escape_html (
998c4fe 
#1231)

In Issue #1223 LogicalTrust describes an XSS in the 400 page. When providing a buffer that contains a \0 char strpbrk will not be able to find characters afterwards. This leads to the question: should we be able to return escaped sequences containing \0 values. Since the original function assumed those should not exists this code might guard for it. But I do wonder if it is elegant enough to do so. A subsequent question was raised if the 400 page should return "bad input" a discussion on this feature is started in #1230. Additionally a QA-test was added.

Fixes #1223 and #1209 
And resolves CVE-2006-1681.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@skinkie skinkie

Labels
t:enhancement
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@skinkie