Opened 5 months ago

Closed 5 months ago

#2362 closed defect (invalid)

FancyIndex does not escape html tags (like autoindex does)

Reported by: mywave82@… Owned by:
Priority: minor Milestone:
Component: nginx-module Version: 1.19.x
Keywords: fancyindex Cc: mywave82@…
uname -a: Linux hydrogen 4.18.0-25-generic #26~18.04.1-Ubuntu SMP Thu Jun 27 07:27:34 UTC 2019 i686 athlon i686 GNU/Linux
nginx -V: nginx version: nginx/1.14.0 (Ubuntu)
built with OpenSSL 1.1.1 11 Sep 2018
TLS SNI support enabled
configure arguments: --with-cc-opt='-g -O2 -fdebug-prefix-map=/build/nginx-CfDAI0/nginx-1.14.0=. -fstack-protector-strong -Wformat -Werror=format-security -fPIC -Wdate-time -D_FORTIFY_SOURCE=2' --with-ld-opt='-Wl,-Bsymbolic-functions -Wl,-z,relro -Wl,-z,now -fPIC' --prefix=/usr/share/nginx --conf-path=/etc/nginx/nginx.conf --http-log-path=/var/log/nginx/access.log --error-log-path=/var/log/nginx/error.log --lock-path=/var/lock/nginx.lock --pid-path=/run/nginx.pid --modules-path=/usr/lib/nginx/modules --http-client-body-temp-path=/var/lib/nginx/body --http-fastcgi-temp-path=/var/lib/nginx/fastcgi --http-proxy-temp-path=/var/lib/nginx/proxy --http-scgi-temp-path=/var/lib/nginx/scgi --http-uwsgi-temp-path=/var/lib/nginx/uwsgi --with-debug --with-pcre-jit --with-http_ssl_module --with-http_stub_status_module --with-http_realip_module --with-http_auth_request_module --with-http_v2_module --with-http_dav_module --with-http_slice_module --with-threads --with-http_addition_module --with-http_geoip_module=dynamic --with-http_gunzip_module --with-http_gzip_static_module --with-http_image_filter_module=dynamic --with-http_sub_module --with-http_xslt_module=dynamic --with-stream=dynamic --with-stream_ssl_module --with-mail=dynamic --with-mail_ssl_module

Description

If your filename has & < or > in them, it will leak into the html, only the url is escaped. Problem seems to be widespread but not addressed.

Example:

filename: foo"&<b>test.txt

generated html:
<tr><td><a href="foo%22&<b>test.txt" title="foo"&<b>test.txt">foo"&<b>test.txt</a></td><td> 11</td><td>2022-Jun-26 18:45</td></tr>

expected html:
<tr><td><a href="foo%22&<b>test.txt" title="foo"&<b>test.txt">foo"&amp;&lt;b&gt;test.txt</a></td><td> 11</td><td>2022-Jun-26 18:45</td></tr>

Change History (2)

comment:1 by mywave82@…, 5 months ago

This bug seems to be in a 3rd party module, but online documentation on nginx webside does not inform about were this module is located, and packagers like Ubuntu bundle these external modules as part of the nginx source code.

Can I suggest that the webpage is updated about the location of the source tree and bug-tracker for this 3rd party module.

comment:2 by Maxim Dounin, 5 months ago

Resolution: invalid
Status: newclosed

For 3rd party modules you have to contact the module author to report bugs. In this case the right place seems to be here, though you may want to check details as provided by the nginx package you are using.

The nginx team does not track 3rd party modules, unfortunately, as there are a lot of modules out there. The most up-to-date lists can be found in the relevant packages and ports. In particular, contributed vim syntax rules currently use the list of 3rd party modules provided by the FreeBSD nginx-devel port.

Note: See TracTickets for help on using tickets.