From: Eric Price <ecprice@mit.edu>
Date: Tue, 22 Apr 2008 05:37:50 +0000 (-0400)
Subject: Avoid html injection.
X-Git-Tag: sipb-xen-www/3.4~22
X-Git-Url: http://xvm.mit.edu/gitweb/invirt/packages/invirt-web.git/commitdiff_plain/7b924b8f4ec3c62b70a012f7d417beb230db8965

Avoid html injection.

Cheetah is painful.


svn path=/trunk/packages/sipb-xen-www/; revision=447
---

diff --git a/code/main.py b/code/main.py
index de28a63..3b43859 100755
--- a/code/main.py
+++ b/code/main.py
@@ -11,6 +11,7 @@ import sha
 import simplejson
 import sys
 import time
+import urllib
 from StringIO import StringIO
 
 def revertStandardError():
@@ -58,12 +59,15 @@ class Checkpoint:
 
 checkpoint = Checkpoint()
 
+def jquote(string):
+    return "'" + string.replace('\\', '\\\\').replace("'", "\\'").replace('\n', '\\n') + "'"
 
 def helppopup(subj):
     """Return HTML code for a (?) link to a specified help topic"""
-    return ('<span class="helplink"><a href="help?subject=' + subj +
-            '&amp;simple=true" target="_blank" ' +
-            'onclick="return helppopup(\'' + subj + '\')">(?)</a></span>')
+    return ('<span class="helplink"><a href="help?' +
+            cgi.escape(urllib.urlencode(dict(subject=subj, simple='true')))
+            +'" target="_blank" ' +
+            'onclick="return helppopup(' + cgi.escape(jquote(subj)) + ')">(?)</a></span>')
 
 def makeErrorPre(old, addition):
     if addition is None:
diff --git a/code/templates/functions.tmpl b/code/templates/functions.tmpl
index 0854e6f..2ae2266 100644
--- a/code/templates/functions.tmpl
+++ b/code/templates/functions.tmpl
@@ -1,3 +1,4 @@
+#filter WebSafe
 #def databaseList($lst, $default, $onchange, $name, $id, $valueattr, $descattr)
 <select name="$name" id="$id"#slurp
 #if $onchange is not None
@@ -18,14 +19,17 @@ onchange="$onchange"#slurp
 #end def
 
 #def cdromList($default="", $onchange=None)
+#filter None
 $databaseList(sorted($sipb_xen_database.CDROM.select(), key=lambda x: x.description),
               default, onchange, 'cdrom', 'cdromlist', 'cdrom_id', 'description')
+#end filter
 #end def
 
 #def autoList($default="", $onchange=None)
+#filter None
 $databaseList(sorted($sipb_xen_database.Autoinstall.select(), key=lambda x: x.description),
               default, onchange, 'autoinstall', 'autoinstalllist', 'autoinstall_id', 'description')
-## $databaseList(autos, default, onchange, 'autoinstall', 'autoinstalllist', 'autoinstall_id', 'description')
+#end filter
 #end def
 
 #def vmTypeList($default=None)
@@ -53,5 +57,7 @@ $databaseList(sorted($sipb_xen_database.Autoinstall.select(), key=lambda x: x.de
 </tr>
 #end if
 #end def
-
-$full_body
\ No newline at end of file
+#filter None
+$full_body
+#end filter
+#end filter
\ No newline at end of file
diff --git a/code/templates/info.tmpl b/code/templates/info.tmpl
index fa815ca..91a2c3b 100644
--- a/code/templates/info.tmpl
+++ b/code/templates/info.tmpl
@@ -40,7 +40,11 @@ Info on $machine.name
 	<td><input type="submit" class="button" name="action" value="Power on"/></td>
 	#end if
       <td>Boot CD:</td>
-      <td>$cdromList()</td>
+      <td>#slurp
+#filter None
+$cdromList()#slurp
+#end filter
+</td>
   </tr>
     <tr>
       <td><input type="submit" class="button" name="action" value="Delete VM" onclick="return confirm('Are you sure that you want to delete this VM?');"/></td>
@@ -61,27 +65,57 @@ Info on $machine.name
 <form action="modify" method="POST">
   <input type="hidden" name="machine_id" value="$defaults.machine_id"/>
   <table>
-    <tr><td>Owner${helppopup("owner")}:</td><td><input type="text" name="owner", value="$defaults.owner"/></td></tr>
+    <tr><td>Owner#slurp
+#filter None
+$helppopup("owner")#slurp
+#end filter
+:</td><td><input type="text" name="owner", value="$defaults.owner"/></td></tr>
+#filter None
 $errorRow('owner', $err)
-    <tr><td>Administrator${helppopup("administrator")}:</td><td><input type="text" name="administrator", value="$defaults.administrator"/></td></tr>
+#end filter
+    <tr><td>Administrator#slurp
+#filter None
+$helppopup("administrator")#slurp
+#end filter
+:</td><td><input type="text" name="administrator", value="$defaults.administrator"/></td></tr>
+#filter None
 $errorRow('administrator', $err)
+#end filter
     <tr><td>Contact email:</td><td><input type="text" name="contact" value="$defaults.contact"/></td></tr>
+#filter None
 $errorRow('contact', $err)
+#end filter
 #if not $on
     <tr><td>Machine Name:</td><td><input type="text" name="name" value="$defaults.name"/></td></tr>
+#filter None
 $errorRow('name', $err)
+#end filter
     <tr>
-      <td>HVM/ParaVM$helppopup('hvm_paravm')</td>
-      <td>$vmTypeList($defaults.type)</td>
+      <td>HVM/ParaVM#slurp
+#filter None
+$helppopup('hvm_paravm')#slurp
+#end filter
+</td>
+      <td>#slurp
+#filter None
+$vmTypeList($defaults.type)#slurp
+#end filter
+</td>
     </tr>
     <tr><td>Ram:</td><td><input type="text" size=3 name="memory" value="$defaults.memory"/>MiB (max $max_mem)</td></tr>
+#filter None
 $errorRow('memory', $err)
+#end filter
     <tr><td>Disk:</td><td><input type="text" size=3 name="disk" value="$defaults.disk"/>GiB (max $max_disk)</td><td>WARNING: Modifying disk size may corrupt your data.</td></tr>
+#filter None
 $errorRow('disk', $err)
+#end filter
 #else
+#filter None
 $errorRow('name', $err)
 $errorRow('memory', $err)
 $errorRow('disk', $err)
+#end filter
 #end if
     <tr><td><input type="submit" class="button" name="action" value="Change"/></td></tr>
   </table>
@@ -90,15 +124,21 @@ $errorRow('disk', $err)
 
 #def body
 <div id="info">
+#filter None
   $infoTable()
+#end filter
 </div>
 
 <h2>Commands</h2>
 <div id="commands">
+#filter None
   $commands()
+#end filter
 </div>
 <h2>Settings</h2>
 <div id="modify">
+#filter None
   $modifyForm()
+#end filter
 </div>
 #end def
diff --git a/code/templates/list.tmpl b/code/templates/list.tmpl
index 71f36ea..7d484f3 100644
--- a/code/templates/list.tmpl
+++ b/code/templates/list.tmpl
@@ -19,36 +19,65 @@ VM List
     <form action="create" method="POST">
     <input type="hidden" name="back" value="list"/>
       <table>
+#filter None
       $errorRow('create', $err)
+#end filter
 	<tr>
 	  <td>Name</td>
 	  <td><input type="text" name="name" value="$defaults.name"/></td>
 	</tr>
+#filter None
 $errorRow('name', $err)
+#end filter
 	<tr>
 	  <td>Memory</td>
 	  <td><input type="text" name="memory" value="$defaults.memory" size=3/> MiB ($max_memory max)</td>
 	</tr>
+#filter None
 $errorRow('memory', $err)
+#end filter
 	<tr>
 	  <td>Disk</td>
 	  <td><input type="text" name="disk" value="$defaults.disk" size=3/> GiB (${"%0.1f" % ($max_disk-0.05)} max)</td>
 	</tr>
+#filter None
 $errorRow('disk', $err)
+#end filter
         <tr>
-          <td>HVM/ParaVM$helppopup('hvm_paravm')</td>
-          <td>$vmTypeList($defaults.type)</td>
+          <td>HVM/ParaVM#slurp
+#filter None
+$helppopup('hvm_paravm')#slurp
+#end filter
+</td>
+          <td>
+#filter None
+$vmTypeList($defaults.type)
+#end filter
+</td>
         </tr>
+#filter None
 $errorRow('vmtype', $err)
+#end filter
 	<tr>
-	  <td>Autoinstall$helppopup('autoinstall')</td>
-	  <td><input type="radio" name="cd_or_auto" id="cd_or_auto_auto">$autoList($defaults.cdrom, "document.getElementById('cd_or_auto_auto').checked = true;document.getElementById('cdromlist').value = ''")
+	  <td>Autoinstall#slurp
+#filter None
+$helppopup('autoinstall')#slurp
+#end filter
+</td>
+	  <td><input type="radio" name="cd_or_auto" id="cd_or_auto_auto">
+#filter None
+$autoList($defaults.cdrom, "document.getElementById('cd_or_auto_auto').checked = true;document.getElementById('cdromlist').value = ''")
 	      (experimental; 1-2 minutes, and you have a machine; root pw is 'password'.)
+#end filter
 	  </input>
 	</tr>
 	<tr>
 	  <td>Boot CD</td>
-	  <td><input type="radio" name="cd_or_auto" id="cd_or_auto_cd" checked>$cdromList($defaults.cdrom, "document.getElementById('cd_or_auto_cd').checked = true;document.getElementById('autoinstalllist').value = ''")</td>
+	  <td><input type="radio" name="cd_or_auto" id="cd_or_auto_cd" checked>
+#filter None
+$cdromList($defaults.cdrom, "document.getElementById('cd_or_auto_cd').checked = true;document.getElementById('autoinstalllist').value = ''")
+#end filter
+</td>
 	  </input>
 	</tr>
 $errorRow('cdrom', $err)
@@ -57,7 +86,9 @@ $errorRow('cdrom', $err)
 	  <td>Owner</td>
 	  <td><input type="text" name="owner" value="$defaults.owner"/></td>
 	</tr>
+#filter None
 	$errorRow('owner', $err)
+#end filter
       </table>
       <input type="submit" class="button" value="Create it!"/>
     </form>
@@ -85,7 +116,9 @@ $machine.uptime#slurp
 #if $has_vnc[$machine] == True
 <a href="vnc?machine_id=$machine.machine_id">Console</a>#slurp
 #else if $has_vnc[$machine] != 'Off'
+#filter None
 $has_vnc[$machine]
+#end filter
 #end if
 </td>
 	<td>
@@ -106,15 +139,25 @@ $has_vnc[$machine]
       <tr>
 	<th>Name</th>
 	<th>Memory</th>
-	<th>Owner$helppopup('owner')</th>
-        <th>Administrator$helppopup('administrator')</th>
+	<th>Owner#slurp
+#filter None
+$helppopup('owner')#slurp
+#end filter
+</th>
+        <th>Administrator#slurp
+#filter None
+$helppopup('administrator')#slurp
+#end filter
+</th>
 	<th>IP</th>
 	<th>Uptime</th>
 	<th>VNC</th>
 	<th></th>
       </tr>
       #for $machine in $machines:
+    #filter None
 	$machineRow($machine)
+    #end filter
       #end for
     </table>
 #end def
@@ -127,7 +170,11 @@ $has_vnc[$machine]
 #end if
     <p><a href="list">refresh</a></p>
     <div id="machinelist">
+    #filter None
     $machineList($machines)
+    #end filter
     </div>
+#filter None
 $createForm()
+#end filter
 #end def
diff --git a/code/templates/skeleton.tmpl b/code/templates/skeleton.tmpl
index e68c819..d7855fb 100644
--- a/code/templates/skeleton.tmpl
+++ b/code/templates/skeleton.tmpl
@@ -59,7 +59,6 @@ function helppopup(name){
 <li><a href="help">Help</a></ul></li>
 </ul>
 #end if
-
 <div id="result" class="result">
 #if $varExists('result')
 $result
@@ -69,7 +68,9 @@ $result
 #if not $varExists('simple') or not $simple
 <h1>$title &mdash; SIPB Virtual Servers</h1>
 #end if
+#filter None
 $body
+#end filter
 #if not $varExists('simple') or not $simple
 <hr />
 Questions? Contact <a href="mailto:sipb-xen@mit.edu">sipb-xen@mit.edu</a>.

Owner${helppopup("owner")}:
Owner#slurp +#filter None +$helppopup("owner")#slurp +#end filter +:
Administrator${helppopup("administrator")}:
Administrator#slurp +#filter None +$helppopup("administrator")#slurp +#end filter +:
Contact email:
Machine Name:
HVM/ParaVM$helppopup('hvm_paravm')	$vmTypeList($defaults.type)	HVM/ParaVM#slurp +#filter None +$helppopup('hvm_paravm')#slurp +#end filter +	#slurp +#filter None +$vmTypeList($defaults.type)#slurp +#end filter +
Ram:	MiB (max $max_mem)
Disk:	GiB (max $max_disk)	WARNING: Modifying disk size may corrupt your data.
Name
Memory	MiB ($max_memory max)
Disk	GiB (${"%0.1f" % ($max_disk-0.05)} max)
HVM/ParaVM$helppopup('hvm_paravm')	$vmTypeList($defaults.type)	HVM/ParaVM#slurp +#filter None +$helppopup('hvm_paravm')#slurp +#end filter +	+#filter None +$vmTypeList($defaults.type) +#end filter +
Autoinstall$helppopup('autoinstall')	$autoList($defaults.cdrom, "document.getElementById('cd_or_auto_auto').checked = true;document.getElementById('cdromlist').value = ''") +	Autoinstall#slurp +#filter None +$helppopup('autoinstall')#slurp +#end filter +	+#filter None +$autoList($defaults.cdrom, "document.getElementById('cd_or_auto_auto').checked = true;document.getElementById('cdromlist').value = ''") (experimental; 1-2 minutes, and you have a machine; root pw is 'password'.) +#end filter
Boot CD	$cdromList($defaults.cdrom, "document.getElementById('cd_or_auto_cd').checked = true;document.getElementById('autoinstalllist').value = ''")	+#filter None +$cdromList($defaults.cdrom, "document.getElementById('cd_or_auto_cd').checked = true;document.getElementById('autoinstalllist').value = ''") +#end filter +
Owner