Merge pull request #690 from levigross/master

Invalid user supplied messages should be HTML entity escaped.
2026-01-14 11:09:11 +08:00 · 2014-02-06 12:45:34 -08:00 · 2014-02-06 12:45:34 -08:00 · 56b9fca562
commit 56b9fca562
parent 6e9644c5a6 e0d2930887
2 changed files with 15 additions and 13 deletions
--- a/gunicorn/util.py
+++ b/gunicorn/util.py
@ -18,11 +18,13 @@ import traceback
 import inspect
 import errno
 import warnings
 import cgi
 from gunicorn.errors import AppImportError
-from gunicorn.six import text_type, string_types
+from gunicorn.six import text_type
 from gunicorn.workers import SUPPORTED_WORKERS
 MAXFD = 1024
 REDIRECT_TO = getattr(os, 'devnull', '/dev/null')
@ -328,11 +330,11 @@ def write_error(sock, status_int, reason, mesg):
        <title>%(reason)s</title>
      </head>
      <body>
-        <h1>%(reason)s</h1>
+        <h1><p>%(reason)s</p></h1>
        %(mesg)s
      </body>
    </html>
-    """) % {"reason": reason, "mesg": mesg}
+    """) % {"reason": reason, "mesg": cgi.escape(mesg)}
    http = textwrap.dedent("""\
    HTTP/1.1 %s %s\r
--- a/gunicorn/workers/base.py
+++ b/gunicorn/workers/base.py
@ -88,7 +88,7 @@ class Worker(object):
                raise SystemExit()
            Reloader(callback=changed).start()
-        # set enviroment' variables
+        # set environment' variables
        if self.cfg.env:
            for k, v in self.cfg.env.items():
                os.environ[k] = v
@ -104,7 +104,7 @@ class Worker(object):
            util.set_non_blocking(p)
            util.close_on_exec(p)
-        # Prevent fd inherientence
+        # Prevent fd inheritance
        [util.close_on_exec(s) for s in self.sockets]
        util.close_on_exec(self.tmp.fileno())
@ -159,24 +159,24 @@ class Worker(object):
            reason = "Bad Request"
            if isinstance(exc, InvalidRequestLine):
-                mesg = "<p>Invalid Request Line '%s'</p>" % str(exc)
+                mesg = "Invalid Request Line '%s'" % str(exc)
            elif isinstance(exc, InvalidRequestMethod):
-                mesg = "<p>Invalid Method '%s'</p>" % str(exc)
+                mesg = "Invalid Method '%s'" % str(exc)
            elif isinstance(exc, InvalidHTTPVersion):
-                mesg = "<p>Invalid HTTP Version '%s'</p>" % str(exc)
+                mesg = "Invalid HTTP Version '%s'" % str(exc)
            elif isinstance(exc, (InvalidHeaderName, InvalidHeader,)):
-                mesg = "<p>%s</p>" % str(exc)
+                mesg = "%s" % str(exc)
                if not req and hasattr(exc, "req"):
                    req = exc.req  # for access log
            elif isinstance(exc, LimitRequestLine):
-                mesg = "<p>%s</p>" % str(exc)
+                mesg = "%s" % str(exc)
            elif isinstance(exc, LimitRequestHeaders):
-                mesg = "<p>Error parsing headers: '%s'</p>" % str(exc)
+                mesg = "Error parsing headers: '%s'" % str(exc)
            elif isinstance(exc, InvalidProxyLine):
-                mesg = "<p>'%s'</p>" % str(exc)
+                mesg = "'%s'" % str(exc)
            elif isinstance(exc, ForbiddenProxyRequest):
                reason = "Forbidden"
-                mesg = "<p>Request forbidden</p>"
+                mesg = "Request forbidden"
                status_int = 403
            self.log.debug("Invalid request from ip={ip}: {error}"\