Forum
allow whitespace (HT, LF) chars in url. Change to forbidden_chars_present.
rouilj
6 February 2017, 02:18
I am not sure if this is a bug, but I don't see any issue with sending linefeed (hex 0A, dec 10) and horizontal tab in the url. I have an application that passes errors back to the client in the URL and embeds whitespace to be presented to the user inside a pre block.
Hiawatha by default blocks the whitespace encoding. I can understand hiding the other
non-printing characters since they have no effect in HTML.
A crude diff that implements this for LF is below:
Hiawatha by default blocks the whitespace encoding. I can understand hiding the other
non-printing characters since they have no effect in HTML.
A crude diff that implements this for LF is below:
==================================================================
--- src/libstr.c
+++ src/libstr.c
@@ -427,11 +427,12 @@
if ((*str > 0) && (*str < 32)) {
return true;
} else if (*str == '%') {
if ((high = hex_char_to_int(*(str + 1))) != -1) { if ((low = hex_char_to_int(*(str + 2))) != \
-1) {
- if (((high << 4) + low) < 32) {
+ if ( ((high << 4) + low) < 32 &&
+ ((high << 4) + low) != 10 ) {
return true; }
} }
}
Hugo Leisink
6 February 2017, 09:48
That kind of characters don't belong in the URL. I've done a lot of pentesting in the past and the experience from that tells me that allowing those characters is asking for trouble.
I don't understand how the application sends an error message to the client in the URL. I'm sure that's not what you meant.
I don't understand how the application sends an error message to the client in the URL. I'm sure that's not what you meant.
rouilj
7 February 2017, 02:07
Yes I do. Roundup's returned url includes the status message.
E.G.
http://example.dynamic-dns.net/cgi/roundup/demo/issue?@ok_message=issue%206%20status%20edited%20ok&@template=batchedit&:columns=title,id,status,queue,duedate,assignedto,activity,dependson,group,seealso&:sort=id&:group=status,queue&:filter=status&:pagesize=50&:startwith=0&status=-1,1,2,3,4,5
I'll accept your assessment of the use of those characters in a url.
E.G.
http://example.dynamic-dns.net/cgi/roundup/demo/issue?@ok_message=issue%206%20status%20edited%20ok&@template=batchedit&:columns=title,id,status,queue,duedate,assignedto,activity,dependson,group,seealso&:sort=id&:group=status,queue&:filter=status&:pagesize=50&:startwith=0&status=-1,1,2,3,4,5
I'll accept your assessment of the use of those characters in a url.
Hugo Leisink
8 February 2017, 22:51
You mean the server sends a redirect to the client? So, I can include my own message in that URL? Sounds like that can be used for phishing...
This topic has been closed.
Copyright © by Hugo Leisink. All rights reserved.
Built upon the Banshee PHP framework.
Built upon the Banshee PHP framework.
