Commit d8b8b9c9 authored by Ludovic Fauvet's avatar Ludovic Fauvet Committed by Jean-Baptiste Kempf

lua http: fix two xss vulnerabilities

(cherry picked from commit bf02b8dd211d5a52aa301a9a2ff4e73ed8195881)
Signed-off-by: default avatarJean-Baptiste Kempf <jb@videolan.org>
parent 26787244
...@@ -27,7 +27,7 @@ ...@@ -27,7 +27,7 @@
if _GET["command"] then if _GET["command"] then
local msg = vlm:execute_command(_GET["command"]) local msg = vlm:execute_command(_GET["command"])
if msg.value then if msg.value then
print(msg.name,":",msg.value) print(msg.name,":",vlc.strings.convert_xml_special_chars(msg.value))
end end
else else
?>No command<?vlc ?>No command<?vlc
......
...@@ -107,7 +107,8 @@ function callback_error(path,url,msg) ...@@ -107,7 +107,8 @@ function callback_error(path,url,msg)
<title>Error loading ]]..url..[[</title> <title>Error loading ]]..url..[[</title>
</head> </head>
<body> <body>
<h1>Error loading ]]..url..[[</h1><pre>]]..(config.no_error_detail and "Remove configuration option `no_error_detail' on the server to get more information." or tostring(msg))..[[</pre> <h1>Error loading ]]..url..[[</h1><pre>]]..(config.no_error_detail and "Remove configuration option `no_error_detail' on the server to get more information."
or vlc.strings.convert_xml_special_chars(tostring(msg)))..[[</pre>
<p> <p>
<a href="http://www.videolan.org/">VideoLAN</a><br/> <a href="http://www.videolan.org/">VideoLAN</a><br/>
<a href="http://www.lua.org/manual/5.1/">Lua 5.1 Reference Manual</a> <a href="http://www.lua.org/manual/5.1/">Lua 5.1 Reference Manual</a>
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment