Opened 2 years ago
Closed 2 years ago
#2362 closed defect (invalid)
FancyIndex does not escape html tags (like autoindex does)
| Reported by: | Owned by: | ||
|---|---|---|---|
| Priority: | minor | Milestone: | |
| Component: | nginx-module | Version: | 1.19.x |
| Keywords: | fancyindex | Cc: | mywave82@… |
| uname -a: | Linux hydrogen 4.18.0-25-generic #26~18.04.1-Ubuntu SMP Thu Jun 27 07:27:34 UTC 2019 i686 athlon i686 GNU/Linux | ||
| nginx -V: |
nginx version: nginx/1.14.0 (Ubuntu)
built with OpenSSL 1.1.1 11 Sep 2018 TLS SNI support enabled configure arguments: --with-cc-opt='-g -O2 -fdebug-prefix-map=/build/nginx-CfDAI0/nginx-1.14.0=. -fstack-protector-strong -Wformat -Werror=format-security -fPIC -Wdate-time -D_FORTIFY_SOURCE=2' --with-ld-opt='-Wl,-Bsymbolic-functions -Wl,-z,relro -Wl,-z,now -fPIC' --prefix=/usr/share/nginx --conf-path=/etc/nginx/nginx.conf --http-log-path=/var/log/nginx/access.log --error-log-path=/var/log/nginx/error.log --lock-path=/var/lock/nginx.lock --pid-path=/run/nginx.pid --modules-path=/usr/lib/nginx/modules --http-client-body-temp-path=/var/lib/nginx/body --http-fastcgi-temp-path=/var/lib/nginx/fastcgi --http-proxy-temp-path=/var/lib/nginx/proxy --http-scgi-temp-path=/var/lib/nginx/scgi --http-uwsgi-temp-path=/var/lib/nginx/uwsgi --with-debug --with-pcre-jit --with-http_ssl_module --with-http_stub_status_module --with-http_realip_module --with-http_auth_request_module --with-http_v2_module --with-http_dav_module --with-http_slice_module --with-threads --with-http_addition_module --with-http_geoip_module=dynamic --with-http_gunzip_module --with-http_gzip_static_module --with-http_image_filter_module=dynamic --with-http_sub_module --with-http_xslt_module=dynamic --with-stream=dynamic --with-stream_ssl_module --with-mail=dynamic --with-mail_ssl_module |
||
Description
If your filename has & < or > in them, it will leak into the html, only the url is escaped. Problem seems to be widespread but not addressed.
Example:
filename: foo"&<b>test.txt
generated html:
<tr><td><a href="foo%22&<b>test.txt" title="foo"&<b>test.txt">foo"&<b>test.txt</a></td><td> 11</td><td>2022-Jun-26 18:45</td></tr>
expected html:
<tr><td><a href="foo%22&<b>test.txt" title="foo"&<b>test.txt">foo"&<b>test.txt</a></td><td> 11</td><td>2022-Jun-26 18:45</td></tr>
Change History (2)
comment:1 by , 2 years ago
comment:2 by , 2 years ago
| Resolution: | → invalid |
|---|---|
| Status: | new → closed |
For 3rd party modules you have to contact the module author to report bugs. In this case the right place seems to be here, though you may want to check details as provided by the nginx package you are using.
The nginx team does not track 3rd party modules, unfortunately, as there are a lot of modules out there. The most up-to-date lists can be found in the relevant packages and ports. In particular, contributed vim syntax rules currently use the list of 3rd party modules provided by the FreeBSD nginx-devel port.
This bug seems to be in a 3rd party module, but online documentation on nginx webside does not inform about were this module is located, and packagers like Ubuntu bundle these external modules as part of the nginx source code.
Can I suggest that the webpage is updated about the location of the source tree and bug-tracker for this 3rd party module.