Merge pull request #12773 from MrPetovan/bug/return-xss

Ensure arbitrary HTTPException messages are HTML escaped
This commit is contained in:
Philipp 2023-02-05 20:02:57 +01:00 committed by GitHub
commit bb92870ebb
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
8 changed files with 122 additions and 68 deletions

View file

@ -341,7 +341,7 @@ class BaseURL
public function redirect(string $toUrl = '', bool $ssl = false)
{
if (!empty(parse_url($toUrl, PHP_URL_SCHEME))) {
throw new HTTPException\InternalServerErrorException("'$toUrl is not a relative path, please use System::externalRedirectTo");
throw new HTTPException\InternalServerErrorException("$toUrl is not a relative path, please use System::externalRedirectTo");
}
$redirectTo = $this->get($ssl) . '/' . ltrim($toUrl, '/');

View file

@ -37,6 +37,7 @@ use Friendica\Model\Post;
use Friendica\Model\Profile;
use Friendica\Model\User;
use Friendica\Module\Response;
use Friendica\Module\Special\DisplayNotFound;
use Friendica\Navigation\Notifications\Repository\Notification;
use Friendica\Navigation\Notifications\Repository\Notify;
use Friendica\Protocol\ActivityPub;
@ -246,14 +247,8 @@ class Display extends BaseModule
if (empty($item)) {
$this->page['aside'] = '';
throw new HTTPException\NotFoundException($this->t('Unfortunately, the requested conversation isn\'t available to you.</p>
<p>Possible reasons include:</p>
<ul>
<li>The top-level post isn\'t visible.</li>
<li>The top-level post was deleted.</li>
<li>The node has blocked the top-level author or the author of the shared post.</li>
<li>You have ignored or blocked the top-level author or the author of the shared post.</li>
</ul><p>'));
$displayNotFound = new DisplayNotFound($this->l10n, $this->baseUrl, $this->args, $this->logger, $this->profiler, $this->response, $this->server, $this->parameters);
return $displayNotFound->content();
}
$item['uri-id'] = $item['parent-uri-id'];

View file

@ -0,0 +1,49 @@
<?php
/**
* @copyright Copyright (C) 2010-2023, the Friendica project
*
* @license GNU AGPL version 3 or any later version
*
* This program is free software: you can redistribute it and/or modify
* it under the terms of the GNU Affero General Public License as
* published by the Free Software Foundation, either version 3 of the
* License, or (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Affero General Public License for more details.
*
* You should have received a copy of the GNU Affero General Public License
* along with this program. If not, see <https://www.gnu.org/licenses/>.
*
*/
namespace Friendica\Module\Special;
use Friendica\Core\Renderer;
/**
* This is a special case of the HTTPException module where the message is intended to be HTML.
* This module should be called directly from the Display module and shouldn't be routed to.
*/
class DisplayNotFound extends \Friendica\BaseModule
{
protected function content(array $request = []): string
{
$tpl = Renderer::getMarkupTemplate('special/displaynotfound.tpl');
return Renderer::replaceMacros($tpl, [
'$l10n' => [
'title' => $this->t('Not Found'),
'message' => $this->t("<p>Unfortunately, the requested conversation isn't available to you.</p>
<p>Possible reasons include:</p>
<ul>
<li>The top-level post isn't visible.</li>
<li>The top-level post was deleted.</li>
<li>The node has blocked the top-level author or the author of the shared post.</li>
<li>You have ignored or blocked the top-level author or the author of the shared post.</li>
</ul>"),
]
]);
}
}

View file

@ -104,6 +104,7 @@ class HTTPException
$tpl = Renderer::getMarkupTemplate('http_status.tpl');
$content = Renderer::replaceMacros($tpl, $vars);
} catch (\Exception $e) {
$vars = array_map('htmlentities', $vars);
$content = "<h1>{$vars['$title']}</h1><p>{$vars['$message']}</p>";
if ($this->isSiteAdmin) {
$content .= "<p>{$vars['$thrown']}</p>";

View file

@ -8,7 +8,7 @@ msgid ""
msgstr ""
"Project-Id-Version: 2023.03-dev\n"
"Report-Msgid-Bugs-To: \n"
"POT-Creation-Date: 2023-01-23 06:47+0000\n"
"POT-Creation-Date: 2023-02-04 19:53-0500\n"
"PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
"Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
"Language-Team: LANGUAGE <LL@li.org>\n"
@ -1925,39 +1925,39 @@ msgstr ""
msgid "last"
msgstr ""
#: src/Content/Text/BBCode.php:1015 src/Content/Text/BBCode.php:1877
#: src/Content/Text/BBCode.php:1878
#: src/Content/Text/BBCode.php:949 src/Content/Text/BBCode.php:1811
#: src/Content/Text/BBCode.php:1812
msgid "Image/photo"
msgstr ""
#: src/Content/Text/BBCode.php:1232
#: src/Content/Text/BBCode.php:1166
#, php-format
msgid ""
"<a href=\"%1$s\" target=\"_blank\" rel=\"noopener noreferrer\">%2$s</a> %3$s"
msgstr ""
#: src/Content/Text/BBCode.php:1257 src/Model/Item.php:3572
#: src/Content/Text/BBCode.php:1191 src/Model/Item.php:3572
#: src/Model/Item.php:3578 src/Model/Item.php:3579
msgid "Link to source"
msgstr ""
#: src/Content/Text/BBCode.php:1795 src/Content/Text/HTML.php:929
#: src/Content/Text/BBCode.php:1729 src/Content/Text/HTML.php:929
msgid "Click to open/close"
msgstr ""
#: src/Content/Text/BBCode.php:1826
#: src/Content/Text/BBCode.php:1760
msgid "$1 wrote:"
msgstr ""
#: src/Content/Text/BBCode.php:1882 src/Content/Text/BBCode.php:1883
#: src/Content/Text/BBCode.php:1816 src/Content/Text/BBCode.php:1817
msgid "Encrypted content"
msgstr ""
#: src/Content/Text/BBCode.php:2110
#: src/Content/Text/BBCode.php:2044
msgid "Invalid source protocol"
msgstr ""
#: src/Content/Text/BBCode.php:2125
#: src/Content/Text/BBCode.php:2059
msgid "Invalid link protocol"
msgstr ""
@ -2896,68 +2896,68 @@ msgstr ""
msgid "Forum"
msgstr ""
#: src/Model/Contact.php:2929
#: src/Model/Contact.php:2942
msgid "Disallowed profile URL."
msgstr ""
#: src/Model/Contact.php:2934 src/Module/Friendica.php:83
#: src/Model/Contact.php:2947 src/Module/Friendica.php:83
msgid "Blocked domain"
msgstr ""
#: src/Model/Contact.php:2939
#: src/Model/Contact.php:2952
msgid "Connect URL missing."
msgstr ""
#: src/Model/Contact.php:2948
#: src/Model/Contact.php:2961
msgid ""
"The contact could not be added. Please check the relevant network "
"credentials in your Settings -> Social Networks page."
msgstr ""
#: src/Model/Contact.php:2966
#: src/Model/Contact.php:2979
#, php-format
msgid "Expected network %s does not match actual network %s"
msgstr ""
#: src/Model/Contact.php:2983
#: src/Model/Contact.php:2996
msgid "The profile address specified does not provide adequate information."
msgstr ""
#: src/Model/Contact.php:2985
#: src/Model/Contact.php:2998
msgid "No compatible communication protocols or feeds were discovered."
msgstr ""
#: src/Model/Contact.php:2988
#: src/Model/Contact.php:3001
msgid "An author or name was not found."
msgstr ""
#: src/Model/Contact.php:2991
#: src/Model/Contact.php:3004
msgid "No browser URL could be matched to this address."
msgstr ""
#: src/Model/Contact.php:2994
#: src/Model/Contact.php:3007
msgid ""
"Unable to match @-style Identity Address with a known protocol or email "
"contact."
msgstr ""
#: src/Model/Contact.php:2995
#: src/Model/Contact.php:3008
msgid "Use mailto: in front of address to force email check."
msgstr ""
#: src/Model/Contact.php:3001
#: src/Model/Contact.php:3014
msgid ""
"The profile address specified belongs to a network which has been disabled "
"on this site."
msgstr ""
#: src/Model/Contact.php:3006
#: src/Model/Contact.php:3019
msgid ""
"Limited profile. This person will be unable to receive direct/personal "
"notifications from you."
msgstr ""
#: src/Model/Contact.php:3071
#: src/Model/Contact.php:3084
msgid "Unable to retrieve contact information."
msgstr ""
@ -3188,7 +3188,7 @@ msgstr ""
msgid "[no subject]"
msgstr ""
#: src/Model/Photo.php:1178 src/Module/Media/Photo/Upload.php:198
#: src/Model/Photo.php:1184 src/Module/Media/Photo/Upload.php:198
msgid "Wall Photos"
msgstr ""
@ -5373,26 +5373,26 @@ msgstr ""
msgid "User registrations waiting for confirmation"
msgstr ""
#: src/Module/BaseApi.php:255 src/Module/BaseApi.php:271
#: src/Module/BaseApi.php:287
#: src/Module/BaseApi.php:266 src/Module/BaseApi.php:282
#: src/Module/BaseApi.php:298
msgid "Too Many Requests"
msgstr ""
#: src/Module/BaseApi.php:256
#: src/Module/BaseApi.php:267
#, php-format
msgid "Daily posting limit of %d post reached. The post was rejected."
msgid_plural "Daily posting limit of %d posts reached. The post was rejected."
msgstr[0] ""
msgstr[1] ""
#: src/Module/BaseApi.php:272
#: src/Module/BaseApi.php:283
#, php-format
msgid "Weekly posting limit of %d post reached. The post was rejected."
msgid_plural "Weekly posting limit of %d posts reached. The post was rejected."
msgstr[0] ""
msgstr[1] ""
#: src/Module/BaseApi.php:288
#: src/Module/BaseApi.php:299
#, php-format
msgid "Monthly posting limit of %d post reached. The post was rejected."
msgid_plural ""
@ -5875,7 +5875,7 @@ msgstr[1] ""
#: src/Module/Contact/Follow.php:69 src/Module/Contact/Redir.php:62
#: src/Module/Contact/Redir.php:222 src/Module/Conversation/Community.php:194
#: src/Module/Debug/ItemBody.php:38 src/Module/Diaspora/Receive.php:57
#: src/Module/Item/Display.php:95 src/Module/Item/Feed.php:59
#: src/Module/Item/Display.php:96 src/Module/Item/Feed.php:59
#: src/Module/Item/Follow.php:41 src/Module/Item/Ignore.php:41
#: src/Module/Item/Pin.php:41 src/Module/Item/Pin.php:56
#: src/Module/Item/Star.php:42 src/Module/Update/Display.php:37
@ -7158,24 +7158,10 @@ msgid ""
"<a href=\"/settings/display\">Theme Customization settings</a>."
msgstr ""
#: src/Module/Item/Display.php:135 src/Module/Update/Display.php:55
#: src/Module/Item/Display.php:136 src/Module/Update/Display.php:55
msgid "The requested item doesn't exist or has been deleted."
msgstr ""
#: src/Module/Item/Display.php:249
msgid ""
"Unfortunately, the requested conversation isn't available to you.</p>\n"
"<p>Possible reasons include:</p>\n"
"<ul>\n"
"\t<li>The top-level post isn't visible.</li>\n"
"\t<li>The top-level post was deleted.</li>\n"
"\t<li>The node has blocked the top-level author or the author of the shared "
"post.</li>\n"
"\t<li>You have ignored or blocked the top-level author or the author of the "
"shared post.</li>\n"
"</ul><p>"
msgstr ""
#: src/Module/Item/Feed.php:86
msgid "The feed for this item is unavailable."
msgstr ""
@ -8068,7 +8054,7 @@ msgstr ""
msgid "Unsupported or missing response type"
msgstr ""
#: src/Module/OAuth/Authorize.php:59 src/Module/OAuth/Token.php:76
#: src/Module/OAuth/Authorize.php:59 src/Module/OAuth/Token.php:77
msgid "Incomplete request data"
msgstr ""
@ -8079,11 +8065,11 @@ msgid ""
"close this window: %s"
msgstr ""
#: src/Module/OAuth/Token.php:81
#: src/Module/OAuth/Token.php:82
msgid "Invalid data or unknown client"
msgstr ""
#: src/Module/OAuth/Token.php:100
#: src/Module/OAuth/Token.php:104
msgid "Unsupported or missing grant type"
msgstr ""
@ -8264,20 +8250,20 @@ msgstr ""
#: src/Module/Profile/Conversations.php:106
#: src/Module/Profile/Conversations.php:109 src/Module/Profile/Profile.php:351
#: src/Module/Profile/Profile.php:354 src/Protocol/Feed.php:1025
#: src/Protocol/OStatus.php:1045
#: src/Module/Profile/Profile.php:354 src/Protocol/Feed.php:1026
#: src/Protocol/OStatus.php:1007
#, php-format
msgid "%s's timeline"
msgstr ""
#: src/Module/Profile/Conversations.php:107 src/Module/Profile/Profile.php:352
#: src/Protocol/Feed.php:1029 src/Protocol/OStatus.php:1050
#: src/Protocol/Feed.php:1030 src/Protocol/OStatus.php:1012
#, php-format
msgid "%s's posts"
msgstr ""
#: src/Module/Profile/Conversations.php:108 src/Module/Profile/Profile.php:353
#: src/Protocol/Feed.php:1032 src/Protocol/OStatus.php:1054
#: src/Protocol/Feed.php:1033 src/Protocol/OStatus.php:1016
#, php-format
msgid "%s's comments"
msgstr ""
@ -10359,6 +10345,24 @@ msgid ""
"e.g. Mastodon."
msgstr ""
#: src/Module/Special/DisplayNotFound.php:37
msgid "Not Found"
msgstr ""
#: src/Module/Special/DisplayNotFound.php:38
msgid ""
"<p>Unfortunately, the requested conversation isn't available to you.</p>\n"
"<p>Possible reasons include:</p>\n"
"<ul>\n"
"\t<li>The top-level post isn't visible.</li>\n"
"\t<li>The top-level post was deleted.</li>\n"
"\t<li>The node has blocked the top-level author or the author of the shared "
"post.</li>\n"
"\t<li>You have ignored or blocked the top-level author or the author of the "
"shared post.</li>\n"
"</ul>"
msgstr ""
#: src/Module/Special/HTTPException.php:78
msgid "Stack trace:"
msgstr ""
@ -11332,21 +11336,21 @@ msgstr ""
msgid "(no subject)"
msgstr ""
#: src/Protocol/OStatus.php:1470
#: src/Protocol/OStatus.php:1388
#, php-format
msgid "%s is now following %s."
msgstr ""
#: src/Protocol/OStatus.php:1471
#: src/Protocol/OStatus.php:1389
msgid "following"
msgstr ""
#: src/Protocol/OStatus.php:1474
#: src/Protocol/OStatus.php:1392
#, php-format
msgid "%s stopped following %s."
msgstr ""
#: src/Protocol/OStatus.php:1475
#: src/Protocol/OStatus.php:1393
msgid "stopped following"
msgstr ""

View file

@ -1,7 +1,7 @@
<div id="exception" class="generic-page-wrapper">
<img class="hare" src="images/friendica-404_svg_flexy-o-hare.png"/>
<h1>{{$title}}</h1>
<p>{{$message nofilter}}</p>
<p>{{$message}}</p>
{{if $thrown}}
<pre>{{$thrown}}
{{$stack_trace}}

View file

@ -4,7 +4,7 @@
</head>
<body>
<h1>{{$title}}</h1>
<p>{{$message nofilter}}</p>
<p>{{$message}}</p>
{{if $trace}}
<pre>{{$trace nofilter}}</pre>
{{/if}}

View file

@ -0,0 +1,5 @@
<div id="exception" class="generic-page-wrapper">
<img class="hare" src="images/friendica-404_svg_flexy-o-hare.png"/>
<h1>{{$title}}</h1>
{{$message nofilter}}
</div>