HTML-escape the plain traceback in cgitb's HTML output, to prevent

author Georg Brandl <georg@python.org>

Tue, 15 May 2007 20:19:34 +0000 (20:19 +0000)

committer Georg Brandl <georg@python.org>

Tue, 15 May 2007 20:19:34 +0000 (20:19 +0000)
author Georg Brandl <georg@python.org>
Tue, 15 May 2007 20:19:34 +0000 (20:19 +0000)
committer Georg Brandl <georg@python.org>
Tue, 15 May 2007 20:19:34 +0000 (20:19 +0000)
diff --git a/Lib/cgitb.py b/Lib/cgitb.py

index 1c300b24ea30dceb9937af6f45fd7fc750b6acdb..19b4149f9f3a2aeacfea8c2b0a8ee83db3bec3ce 100644 (file)
--- a/Lib/cgitb.py
+++ b/Lib/cgitb.py
@@ -183,7 +183,8 @@ function calls leading up to the error, in the order they occurred.</p>'''
  
  %s
  -->
-''' % ''.join(traceback.format_exception(etype, evalue, etb))
+''' % pydoc.html.escape(
+          ''.join(traceback.format_exception(etype, evalue, etb)))
  
  def text((etype, evalue, etb), context=5):
      """Return a plain text document describing a given traceback."""
diff --git a/Misc/NEWS b/Misc/NEWS

index 32531f6c40e23253d1aaaf765dbee419ceb00d92..79db74a56c2b17daee9d46bcbe77ad1b975e34a9 100644 (file)
--- a/Misc/NEWS
+++ b/Misc/NEWS
@@ -207,6 +207,10 @@ Core and builtins
  Library
  -------
  
+- HTML-escape the plain traceback in cgitb's HTML output, to prevent
+  the traceback inadvertently or maliciously closing the comment and
+  injecting HTML into the error page.
+
  - The popen2 module and os.popen* are deprecated.  Use the subprocess module.
  
  - Added an optional credentials argument to SMTPHandler, for use with SMTP
author	Georg Brandl <georg@python.org>
	Tue, 15 May 2007 20:19:34 +0000 (20:19 +0000)
committer	Georg Brandl <georg@python.org>
	Tue, 15 May 2007 20:19:34 +0000 (20:19 +0000)
Lib/cgitb.py		patch \| blob \| history
Misc/NEWS		patch \| blob \| history