[PATCH 0/2] gitweb: Improve escaping

[PATCH 0/2] gitweb: Improve escaping

[Jakub Narebski]

Those two patches are dependent on each other only because of single
change in second patch, showcasing the feature.
---
Jakub Narebski (2):
      gitweb: esc_html (short) error message in die_error
      gitweb: Protect escaping functions against calling on undef

 gitweb/gitweb.perl |   11 +++++++++--
 1 files changed, 9 insertions(+), 2 deletions(-)

-- 
Jakub Narebski
ShadeHawk on #git
Poland

[PATCH 1/2] gitweb: esc_html (short) error message in die_error

[Jakub Narebski]

The error message (second argument to die_error) is meant to be short,
one-line text description of given error.  A few callers call
die_error with error message containing unescaped user supplied data
($hash, $file_name).  Instead of forcing callers to escape data,
simply call esc_html on the parameter.

Note that optional third parameter, which contains detailed error
description, is meant to be HTML formatted, and therefore should be
not escaped.

While at it update esc_html synopsis/usage, and bring default error
description to read 'Internal Server Error' (titlecased).

Signed-off-by: Jakub Narebski <jnareb@gmail.com>
---
Alternate solution would be to do escaping in call sites for die_error.

But in error messages shown on 'die' via CGI::Carp qw(fatalsToBrowser)
the error message is HTML escaped, so in fact we are following here
this "calling convention".

Note that for any patch relied on 'Internal server error' as error
message, it must be changed to not fail wrongly.

 gitweb/gitweb.perl |    4 ++--
 1 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/gitweb/gitweb.perl b/gitweb/gitweb.perl
index a5bc359..e393f65 100755
--- a/gitweb/gitweb.perl
+++ b/gitweb/gitweb.perl
@@ -3374,7 +3374,7 @@ sub git_footer_html {
 	      "</html>";
 }
 
-# die_error(<http_status_code>, <error_message>)
+# die_error(<http_status_code>, <error_message>[, <detailed_html_description>])
 # Example: die_error(404, 'Hash not found')
 # By convention, use the following status codes (as defined in RFC 2616):
 # 400: Invalid or missing CGI parameters, or
@@ -3389,7 +3389,7 @@ sub git_footer_html {
 #      or down for maintenance).  Generally, this is a temporary state.
 sub die_error {
 	my $status = shift || 500;
-	my $error = shift || "Internal server error";
+	my $error = esc_html(shift || "Internal Server Error");
 	my $extra = shift;
 
 	my %http_responses = (

[PATCH 2/2] gitweb: Protect escaping functions against calling on undef

[Jakub Narebski]

This is a bit of future-proofing esc_html and friends: when called
with undefined value they would now would return undef... which would
probably mean that error would still occur, but closer to the source
of problem.

This means that we can safely use
  esc_html(shift) || "Internal Server Error"
in die_error() instead of
  esc_html(shift || "Internal Server Error")

Signed-off-by: Jakub Narebski <jnareb@gmail.com>
---
Without the second part (i.e. the change in die_error) those two
patches would be totally independent.

 gitweb/gitweb.perl |    9 ++++++++-
 1 files changed, 8 insertions(+), 1 deletions(-)

diff --git a/gitweb/gitweb.perl b/gitweb/gitweb.perl
index e393f65..c10967c 100755
--- a/gitweb/gitweb.perl
+++ b/gitweb/gitweb.perl
@@ -1145,6 +1145,7 @@ sub validate_refname {
 # in utf-8 thanks to "binmode STDOUT, ':utf8'" at beginning
 sub to_utf8 {
 	my $str = shift;
+	return undef unless defined $str;
 	if (utf8::valid($str)) {
 		utf8::decode($str);
 		return $str;
@@ -1157,6 +1158,7 @@ sub to_utf8 {
 # correct, but quoted slashes look too horrible in bookmarks
 sub esc_param {
 	my $str = shift;
+	return undef unless defined $str;
 	$str =~ s/([^A-Za-z0-9\-_.~()\/:@ ]+)/CGI::escape($1)/eg;
 	$str =~ s/ /\+/g;
 	return $str;
@@ -1165,6 +1167,7 @@ sub esc_param {
 # quote unsafe chars in whole URL, so some charactrs cannot be quoted
 sub esc_url {
 	my $str = shift;
+	return undef unless defined $str;
 	$str =~ s/([^A-Za-z0-9\-_.~();\/;?:@&=])/sprintf("%%%02X", ord($1))/eg;
 	$str =~ s/\+/%2B/g;
 	$str =~ s/ /\+/g;
@@ -1176,6 +1179,8 @@ sub esc_html {
 	my $str = shift;
 	my %opts = @_;
 
+	return undef unless defined $str;
+
 	$str = to_utf8($str);
 	$str = $cgi->escapeHTML($str);
 	if ($opts{'-nbsp'}) {
@@ -1190,6 +1195,8 @@ sub esc_path {
 	my $str = shift;
 	my %opts = @_;
 
+	return undef unless defined $str;
+
 	$str = to_utf8($str);
 	$str = $cgi->escapeHTML($str);
 	if ($opts{'-nbsp'}) {
@@ -3389,7 +3396,7 @@ sub git_footer_html {
 #      or down for maintenance).  Generally, this is a temporary state.
 sub die_error {
 	my $status = shift || 500;
-	my $error = esc_html(shift || "Internal Server Error");
+	my $error = esc_html(shift) || "Internal Server Error";
 	my $extra = shift;
 
 	my %http_responses = (

Re: [PATCH 1/2] gitweb: esc_html (short) error message in die_error

[Jakub Narebski]

On Sun, 7 Feb 2010, Jakub Narebski wrote:

> The error message (second argument to die_error) is meant to be short,
> one-line text description of given error.  A few callers call
> die_error with error message containing unescaped user supplied data
> ($hash, $file_name).  Instead of forcing callers to escape data,
> simply call esc_html on the parameter.
> 
> Note that optional third parameter, which contains detailed error
> description, is meant to be HTML formatted, and therefore should be
> not escaped.
> 
> While at it update esc_html synopsis/usage, and bring default error
> description to read 'Internal Server Error' (titlecased).
> 
> Signed-off-by: Jakub Narebski <jnareb@gmail.com>
> ---
> Alternate solution would be to do escaping in call sites for die_error.
> 
> But in error messages shown on 'die' via CGI::Carp qw(fatalsToBrowser)
> the error message is HTML escaped, so in fact we are following here
> this "calling convention".
> 
> Note that for any patch relied on 'Internal server error' as error
> message, it must be changed to not fail wrongly.

Ping!

On one hand it introduces different treatment for second parameter to
die_error (error message), which is now being HTML-escaped, and optional
third parameter to die_error (detailed description), which is taken as
formatted and not escaped.  On the other hand this is simple solution
not requiring changes in callsites, and allowing easy extending error
messages with relevant information.

Another related issue is how detailed should be our one-line error
messages, and what data should they include.  User provided input
($file_name, $hash, etc.) should be safe if HTML-escaped.  But what
about adding errno message: "$!"?  It can help in debugging the
problem, but theoretically it exposes information to a possible
attacker...

What do you think about it?
-- 
Jakub Narebski
Poland

Re: [PATCH 2/2] gitweb: Protect escaping functions against calling on undef

[Jakub Narebski]

On Sun, 7 Feb 2010, Jakub Narebski wrote:

> This is a bit of future-proofing esc_html and friends: when called
> with undefined value they would now would return undef... which would
> probably mean that error would still occur, but closer to the source
> of problem.
> 
> This means that we can safely use
>   esc_html(shift) || "Internal Server Error"
> in die_error() instead of
>   esc_html(shift || "Internal Server Error")
> 
> Signed-off-by: Jakub Narebski <jnareb@gmail.com>
> ---
> Without the second part (i.e. the change in die_error) those two
> patches would be totally independent.

Ping!

All but last chunk (last chunk depends on PATCH 1/2) are a bit of
hardening / defensive programming... although currently not necessary
(gitweb doesn't pass undef to its escaping subroutines... I think).

-- 
Jakub Narebski
Poland