diff options
author | Calum Lind <calumlind@gmail.com> | 2018-02-04 21:42:00 +0000 |
---|---|---|
committer | Calum Lind <calumlind@gmail.com> | 2018-02-04 21:42:16 +0000 |
commit | a2fcebe15c8d9e238a827896c2d6b91a1274a042 (patch) | |
tree | 1e797ca2e74f15f292807343d765342a74c63c32 | |
parent | b8e5ebe8220c8365e186127e381a2d2dbaf9e460 (diff) | |
download | deluge-a2fcebe15c8d9e238a827896c2d6b91a1274a042.tar.gz deluge-a2fcebe15c8d9e238a827896c2d6b91a1274a042.tar.bz2 deluge-a2fcebe15c8d9e238a827896c2d6b91a1274a042.zip |
[WebUI] Encode HTML entitiies
Ensure that torrent keys that could contain HTML entities are encoded
when displayed in webui.
-rw-r--r-- | deluge/ui/web/json_api.py | 27 |
1 files changed, 25 insertions, 2 deletions
diff --git a/deluge/ui/web/json_api.py b/deluge/ui/web/json_api.py index 28e177df4..1a2bfa266 100644 --- a/deluge/ui/web/json_api.py +++ b/deluge/ui/web/json_api.py @@ -35,6 +35,7 @@ from __future__ import with_statement +import cgi import os import time import base64 @@ -439,6 +440,13 @@ class WebApi(JSONComponent): the web interface. The complete web json interface also exposes all the methods available from the core RPC. """ + XSS_VULN_KEYS = [ + 'name', + 'message', + 'comment', + 'tracker_status', + 'peers' + ] def __init__(self): super(WebApi, self).__init__("Web", depend=["SessionProxy"]) @@ -594,7 +602,7 @@ class WebApi(JSONComponent): paths = [] info = {} for index, torrent_file in enumerate(files): - path = torrent_file["path"] + path = cgi.escape(torrent_file["path"]) paths.append(path) torrent_file["progress"] = file_progress[index] torrent_file["priority"] = file_priorities[index] @@ -631,9 +639,24 @@ class WebApi(JSONComponent): file_tree.walk(walk) d.callback(file_tree.get_tree()) + def _on_torrent_status(self, torrent, d): + for key in self.XSS_VULN_KEYS: + try: + if key == 'peers': + for peer in torrent[key]: + peer['client'] = cgi.escape(peer['client']) + else: + torrent[key] = cgi.escape(torrent[key]) + except KeyError: + pass + d.callback(torrent) + @export def get_torrent_status(self, torrent_id, keys): - return component.get("SessionProxy").get_torrent_status(torrent_id, keys) + main_deferred = Deferred() + d = component.get("SessionProxy").get_torrent_status(torrent_id, keys) + d.addCallback(self._on_torrent_status, main_deferred) + return main_deferred @export def get_torrent_files(self, torrent_id): |