From a2fcebe15c8d9e238a827896c2d6b91a1274a042 Mon Sep 17 00:00:00 2001 From: Calum Lind Date: Sun, 4 Feb 2018 21:42:00 +0000 Subject: [WebUI] Encode HTML entitiies Ensure that torrent keys that could contain HTML entities are encoded when displayed in webui. --- deluge/ui/web/json_api.py | 27 +++++++++++++++++++++++++-- 1 file changed, 25 insertions(+), 2 deletions(-) diff --git a/deluge/ui/web/json_api.py b/deluge/ui/web/json_api.py index 28e177df4..1a2bfa266 100644 --- a/deluge/ui/web/json_api.py +++ b/deluge/ui/web/json_api.py @@ -35,6 +35,7 @@ from __future__ import with_statement +import cgi import os import time import base64 @@ -439,6 +440,13 @@ class WebApi(JSONComponent): the web interface. The complete web json interface also exposes all the methods available from the core RPC. """ + XSS_VULN_KEYS = [ + 'name', + 'message', + 'comment', + 'tracker_status', + 'peers' + ] def __init__(self): super(WebApi, self).__init__("Web", depend=["SessionProxy"]) @@ -594,7 +602,7 @@ class WebApi(JSONComponent): paths = [] info = {} for index, torrent_file in enumerate(files): - path = torrent_file["path"] + path = cgi.escape(torrent_file["path"]) paths.append(path) torrent_file["progress"] = file_progress[index] torrent_file["priority"] = file_priorities[index] @@ -631,9 +639,24 @@ class WebApi(JSONComponent): file_tree.walk(walk) d.callback(file_tree.get_tree()) + def _on_torrent_status(self, torrent, d): + for key in self.XSS_VULN_KEYS: + try: + if key == 'peers': + for peer in torrent[key]: + peer['client'] = cgi.escape(peer['client']) + else: + torrent[key] = cgi.escape(torrent[key]) + except KeyError: + pass + d.callback(torrent) + @export def get_torrent_status(self, torrent_id, keys): - return component.get("SessionProxy").get_torrent_status(torrent_id, keys) + main_deferred = Deferred() + d = component.get("SessionProxy").get_torrent_status(torrent_id, keys) + d.addCallback(self._on_torrent_status, main_deferred) + return main_deferred @export def get_torrent_files(self, torrent_id): -- cgit