frodovdr/hyperion.ng
1
0
Fork 0
mirror of https://github.com/hyperion-project/hyperion.ng.git synced 2025-03-01 10:33:28 +00:00
Code Issues Packages Projects Releases Wiki Activity

Fix Cross Site Scripting Vulnerability 1 (#1720)

Browse Source
This commit is contained in:
LordGrey 2024-04-02 21:44:46 +02:00 committed by GitHub
parent 86d08823a8
commit d5438acbf4
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
2 changed files with 10 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
libsrc/webserver/StaticFileServing.cpp
View File

@ -39,12 +39,15 @@ void StaticFileServing::setBaseUrl(const QString& url)
void StaticFileServing::setSSDPDescription(const QString& desc) void StaticFileServing::setSSDPDescription(const QString& desc)
{ {
if(desc.isEmpty()) if(desc.isEmpty())
{
_ssdpDescription.clear(); _ssdpDescription.clear();
else } else
{
_ssdpDescription = desc.toLocal8Bit(); _ssdpDescription = desc.toLocal8Bit();
} }
}
void StaticFileServing::printErrorToReply (QtHttpReply * reply, QtHttpReply::StatusCode code, QString errorMessage) void StaticFileServing::printErrorToReply (QtHttpReply * reply, QtHttpReply::StatusCode code, const QString& errorMessage)
{ {
reply->setStatusCode(code); reply->setStatusCode(code);
reply->addHeader ("Content-Type", QByteArrayLiteral ("text/html")); reply->addHeader ("Content-Type", QByteArrayLiteral ("text/html"));
@ -62,13 +65,13 @@ void StaticFileServing::printErrorToReply (QtHttpReply * reply, QtHttpReply::Sta
if (errorPage.open (QFile::ReadOnly)) if (errorPage.open (QFile::ReadOnly))
{ {
QByteArray data = errorPage.readAll(); QByteArray data = errorPage.readAll();
data = data.replace("{MESSAGE}", errorMessage.toLocal8Bit() ); data = data.replace("{MESSAGE}", QString(errorMessage.toLocal8Bit()).toHtmlEscaped().toLocal8Bit() );
reply->appendRawData (data); reply->appendRawData (data);
errorPage.close (); errorPage.close ();
} }
else else
{ {
reply->appendRawData (QString(QString::number(code) + " - " +errorMessage).toLocal8Bit()); reply->appendRawData (QString(QString::number(code) + " - " +errorMessage.toLocal8Bit()).toHtmlEscaped().toLocal8Bit());
} }
if (errorPageFooter.open (QFile::ReadOnly)) if (errorPageFooter.open (QFile::ReadOnly))
@ -103,7 +106,8 @@ void StaticFileServing::onRequestNeedsReply (QtHttpRequest * request, QtHttpRepl
} }
return; return;
} }
else if(uri_parts.at(0) == "description.xml" && !_ssdpDescription.isNull())
if(uri_parts.at(0) == "description.xml" && !_ssdpDescription.isNull())
{ {
reply->addHeader ("Content-Type", "text/xml"); reply->addHeader ("Content-Type", "text/xml");
reply->appendRawData (_ssdpDescription); reply->appendRawData (_ssdpDescription);

2
libsrc/webserver/StaticFileServing.h
View File

@ -37,7 +37,7 @@ private:
Logger * _log; Logger * _log;
QByteArray _ssdpDescription; QByteArray _ssdpDescription;
void printErrorToReply (QtHttpReply * reply, QtHttpReply::StatusCode code, QString errorMessage); void printErrorToReply (QtHttpReply * reply, QtHttpReply::StatusCode code, const QString& errorMessage);
}; };