From: Eric Price <ecprice@mit.edu>
Date: Tue, 22 Apr 2008 05:37:50 +0000 (-0400)
Subject: Avoid html injection.
X-Git-Tag: sipb-xen-www/3.4~22
X-Git-Url: http://xvm.mit.edu/gitweb/invirt/packages/invirt-web.git/commitdiff_plain/7b924b8f4ec3c62b70a012f7d417beb230db8965
Avoid html injection.
Cheetah is painful.
svn path=/trunk/packages/sipb-xen-www/; revision=447
---
diff --git a/code/main.py b/code/main.py
index de28a63..3b43859 100755
--- a/code/main.py
+++ b/code/main.py
@@ -11,6 +11,7 @@ import sha
import simplejson
import sys
import time
+import urllib
from StringIO import StringIO
def revertStandardError():
@@ -58,12 +59,15 @@ class Checkpoint:
checkpoint = Checkpoint()
+def jquote(string):
+ return "'" + string.replace('\\', '\\\\').replace("'", "\\'").replace('\n', '\\n') + "'"
def helppopup(subj):
"""Return HTML code for a (?) link to a specified help topic"""
- return ('<span class="helplink"><a href="help?subject=' + subj +
- '&simple=true" target="_blank" ' +
- 'onclick="return helppopup(\'' + subj + '\')">(?)</a></span>')
+ return ('<span class="helplink"><a href="help?' +
+ cgi.escape(urllib.urlencode(dict(subject=subj, simple='true')))
+ +'" target="_blank" ' +
+ 'onclick="return helppopup(' + cgi.escape(jquote(subj)) + ')">(?)</a></span>')
def makeErrorPre(old, addition):
if addition is None:
diff --git a/code/templates/functions.tmpl b/code/templates/functions.tmpl
index 0854e6f..2ae2266 100644
--- a/code/templates/functions.tmpl
+++ b/code/templates/functions.tmpl
@@ -1,3 +1,4 @@
+#filter WebSafe
#def databaseList($lst, $default, $onchange, $name, $id, $valueattr, $descattr)
<select name="$name" id="$id"#slurp
#if $onchange is not None
@@ -18,14 +19,17 @@ onchange="$onchange"#slurp
#end def
#def cdromList($default="", $onchange=None)
+#filter None
$databaseList(sorted($sipb_xen_database.CDROM.select(), key=lambda x: x.description),
default, onchange, 'cdrom', 'cdromlist', 'cdrom_id', 'description')
+#end filter
#end def
#def autoList($default="", $onchange=None)
+#filter None
$databaseList(sorted($sipb_xen_database.Autoinstall.select(), key=lambda x: x.description),
default, onchange, 'autoinstall', 'autoinstalllist', 'autoinstall_id', 'description')
-## $databaseList(autos, default, onchange, 'autoinstall', 'autoinstalllist', 'autoinstall_id', 'description')
+#end filter
#end def
#def vmTypeList($default=None)
@@ -53,5 +57,7 @@ $databaseList(sorted($sipb_xen_database.Autoinstall.select(), key=lambda x: x.de
</tr>
#end if
#end def
-
-$full_body
\ No newline at end of file
+#filter None
+$full_body
+#end filter
+#end filter
\ No newline at end of file
diff --git a/code/templates/info.tmpl b/code/templates/info.tmpl
index fa815ca..91a2c3b 100644
--- a/code/templates/info.tmpl
+++ b/code/templates/info.tmpl
@@ -40,7 +40,11 @@ Info on $machine.name
<td><input type="submit" class="button" name="action" value="Power on"/></td>
#end if
<td>Boot CD:</td>
- <td>$cdromList()</td>
+ <td>#slurp
+#filter None
+$cdromList()#slurp
+#end filter
+</td>
</tr>
<tr>
<td><input type="submit" class="button" name="action" value="Delete VM" onclick="return confirm('Are you sure that you want to delete this VM?');"/></td>
@@ -61,27 +65,57 @@ Info on $machine.name
<form action="modify" method="POST">
<input type="hidden" name="machine_id" value="$defaults.machine_id"/>
<table>
- <tr><td>Owner${helppopup("owner")}:</td><td><input type="text" name="owner", value="$defaults.owner"/></td></tr>
+ <tr><td>Owner#slurp
+#filter None
+$helppopup("owner")#slurp
+#end filter
+:</td><td><input type="text" name="owner", value="$defaults.owner"/></td></tr>
+#filter None
$errorRow('owner', $err)
- <tr><td>Administrator${helppopup("administrator")}:</td><td><input type="text" name="administrator", value="$defaults.administrator"/></td></tr>
+#end filter
+ <tr><td>Administrator#slurp
+#filter None
+$helppopup("administrator")#slurp
+#end filter
+:</td><td><input type="text" name="administrator", value="$defaults.administrator"/></td></tr>
+#filter None
$errorRow('administrator', $err)
+#end filter
<tr><td>Contact email:</td><td><input type="text" name="contact" value="$defaults.contact"/></td></tr>
+#filter None
$errorRow('contact', $err)
+#end filter
#if not $on
<tr><td>Machine Name:</td><td><input type="text" name="name" value="$defaults.name"/></td></tr>
+#filter None
$errorRow('name', $err)
+#end filter
<tr>
- <td>HVM/ParaVM$helppopup('hvm_paravm')</td>
- <td>$vmTypeList($defaults.type)</td>
+ <td>HVM/ParaVM#slurp
+#filter None
+$helppopup('hvm_paravm')#slurp
+#end filter
+</td>
+ <td>#slurp
+#filter None
+$vmTypeList($defaults.type)#slurp
+#end filter
+</td>
</tr>
<tr><td>Ram:</td><td><input type="text" size=3 name="memory" value="$defaults.memory"/>MiB (max $max_mem)</td></tr>
+#filter None
$errorRow('memory', $err)
+#end filter
<tr><td>Disk:</td><td><input type="text" size=3 name="disk" value="$defaults.disk"/>GiB (max $max_disk)</td><td>WARNING: Modifying disk size may corrupt your data.</td></tr>
+#filter None
$errorRow('disk', $err)
+#end filter
#else
+#filter None
$errorRow('name', $err)
$errorRow('memory', $err)
$errorRow('disk', $err)
+#end filter
#end if
<tr><td><input type="submit" class="button" name="action" value="Change"/></td></tr>
</table>
@@ -90,15 +124,21 @@ $errorRow('disk', $err)
#def body
<div id="info">
+#filter None
$infoTable()
+#end filter
</div>
<h2>Commands</h2>
<div id="commands">
+#filter None
$commands()
+#end filter
</div>
<h2>Settings</h2>
<div id="modify">
+#filter None
$modifyForm()
+#end filter
</div>
#end def
diff --git a/code/templates/list.tmpl b/code/templates/list.tmpl
index 71f36ea..7d484f3 100644
--- a/code/templates/list.tmpl
+++ b/code/templates/list.tmpl
@@ -19,36 +19,65 @@ VM List
<form action="create" method="POST">
<input type="hidden" name="back" value="list"/>
<table>
+#filter None
$errorRow('create', $err)
+#end filter
<tr>
<td>Name</td>
<td><input type="text" name="name" value="$defaults.name"/></td>
</tr>
+#filter None
$errorRow('name', $err)
+#end filter
<tr>
<td>Memory</td>
<td><input type="text" name="memory" value="$defaults.memory" size=3/> MiB ($max_memory max)</td>
</tr>
+#filter None
$errorRow('memory', $err)
+#end filter
<tr>
<td>Disk</td>
<td><input type="text" name="disk" value="$defaults.disk" size=3/> GiB (${"%0.1f" % ($max_disk-0.05)} max)</td>
</tr>
+#filter None
$errorRow('disk', $err)
+#end filter
<tr>
- <td>HVM/ParaVM$helppopup('hvm_paravm')</td>
- <td>$vmTypeList($defaults.type)</td>
+ <td>HVM/ParaVM#slurp
+#filter None
+$helppopup('hvm_paravm')#slurp
+#end filter
+</td>
+ <td>
+#filter None
+$vmTypeList($defaults.type)
+#end filter
+</td>
</tr>
+#filter None
$errorRow('vmtype', $err)
+#end filter
<tr>
- <td>Autoinstall$helppopup('autoinstall')</td>
- <td><input type="radio" name="cd_or_auto" id="cd_or_auto_auto">$autoList($defaults.cdrom, "document.getElementById('cd_or_auto_auto').checked = true;document.getElementById('cdromlist').value = ''")
+ <td>Autoinstall#slurp
+#filter None
+$helppopup('autoinstall')#slurp
+#end filter
+</td>
+ <td><input type="radio" name="cd_or_auto" id="cd_or_auto_auto">
+#filter None
+$autoList($defaults.cdrom, "document.getElementById('cd_or_auto_auto').checked = true;document.getElementById('cdromlist').value = ''")
(experimental; 1-2 minutes, and you have a machine; root pw is 'password'.)
+#end filter
</input>
</tr>
<tr>
<td>Boot CD</td>
- <td><input type="radio" name="cd_or_auto" id="cd_or_auto_cd" checked>$cdromList($defaults.cdrom, "document.getElementById('cd_or_auto_cd').checked = true;document.getElementById('autoinstalllist').value = ''")</td>
+ <td><input type="radio" name="cd_or_auto" id="cd_or_auto_cd" checked>
+#filter None
+$cdromList($defaults.cdrom, "document.getElementById('cd_or_auto_cd').checked = true;document.getElementById('autoinstalllist').value = ''")
+#end filter
+</td>
</input>
</tr>
$errorRow('cdrom', $err)
@@ -57,7 +86,9 @@ $errorRow('cdrom', $err)
<td>Owner</td>
<td><input type="text" name="owner" value="$defaults.owner"/></td>
</tr>
+#filter None
$errorRow('owner', $err)
+#end filter
</table>
<input type="submit" class="button" value="Create it!"/>
</form>
@@ -85,7 +116,9 @@ $machine.uptime#slurp
#if $has_vnc[$machine] == True
<a href="vnc?machine_id=$machine.machine_id">Console</a>#slurp
#else if $has_vnc[$machine] != 'Off'
+#filter None
$has_vnc[$machine]
+#end filter
#end if
</td>
<td>
@@ -106,15 +139,25 @@ $has_vnc[$machine]
<tr>
<th>Name</th>
<th>Memory</th>
- <th>Owner$helppopup('owner')</th>
- <th>Administrator$helppopup('administrator')</th>
+ <th>Owner#slurp
+#filter None
+$helppopup('owner')#slurp
+#end filter
+</th>
+ <th>Administrator#slurp
+#filter None
+$helppopup('administrator')#slurp
+#end filter
+</th>
<th>IP</th>
<th>Uptime</th>
<th>VNC</th>
<th></th>
</tr>
#for $machine in $machines:
+ #filter None
$machineRow($machine)
+ #end filter
#end for
</table>
#end def
@@ -127,7 +170,11 @@ $has_vnc[$machine]
#end if
<p><a href="list">refresh</a></p>
<div id="machinelist">
+ #filter None
$machineList($machines)
+ #end filter
</div>
+#filter None
$createForm()
+#end filter
#end def
diff --git a/code/templates/skeleton.tmpl b/code/templates/skeleton.tmpl
index e68c819..d7855fb 100644
--- a/code/templates/skeleton.tmpl
+++ b/code/templates/skeleton.tmpl
@@ -59,7 +59,6 @@ function helppopup(name){
<li><a href="help">Help</a></ul></li>
</ul>
#end if
-
<div id="result" class="result">
#if $varExists('result')
$result
@@ -69,7 +68,9 @@ $result
#if not $varExists('simple') or not $simple
<h1>$title — SIPB Virtual Servers</h1>
#end if
+#filter None
$body
+#end filter
#if not $varExists('simple') or not $simple
<hr />
Questions? Contact <a href="mailto:sipb-xen@mit.edu">sipb-xen@mit.edu</a>.