From: eldy <>
Date: Sat, 24 Sep 2011 01:02:22 +0000 (+0000)
Subject: Fix: Sanitize parameters
X-Git-Tag: AWSTATS_7_0_BETA~4
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=f8cefe3434c3bb98b4e65fc57bba5d13a1a5f8b5;p=thirdparty%2FAWStats.git
Fix: Sanitize parameters
---
diff --git a/wwwroot/cgi-bin/awredir.pl b/wwwroot/cgi-bin/awredir.pl
index 24f68631..2487f791 100644
--- a/wwwroot/cgi-bin/awredir.pl
+++ b/wwwroot/cgi-bin/awredir.pl
@@ -76,6 +76,27 @@ sub DecodeEncodedString {
return $stringtodecode;
}
+#------------------------------------------------------------------------------
+# Function: Clean a string of HTML tags to avoid 'Cross Site Scripting attacks'
+# and clean | char.
+# Parameters: stringtoclean
+# Input: None
+# Output: None
+# Return: cleanedstring
+#------------------------------------------------------------------------------
+sub CleanXSS {
+ my $stringtoclean = shift;
+
+ # To avoid html tags and javascript
+ $stringtoclean =~ s//>/g;
+ $stringtoclean =~ s/|//g;
+
+ # To avoid onload="
+ $stringtoclean =~ s/onload//g;
+ return $stringtoclean;
+}
+
#-------------------------------------------------------
# MAIN
@@ -127,6 +148,12 @@ elsif ($Url =~ /url=(.+)$/) { $Url=$1; }
$Url = DecodeEncodedString($Url);
$UrlParam=$Url;
+# Sanitize parameters
+$Tag=CleanXSS($Tag);
+$Key=CleanXSS($Key);
+$UrlParam=CleanXSS($UrlParam);
+
+
if (! $UrlParam) {
error("Error: Bad use of $PROG. To redirect an URL with $PROG, use the following syntax:
/cgi-bin/$PROG.pl?url=http://urltogo");
}