diff options
Diffstat (limited to 'httpd/server_http.c')
| -rw-r--r-- | httpd/server_http.c | 31 |
1 files changed, 21 insertions, 10 deletions
diff --git a/httpd/server_http.c b/httpd/server_http.c index d51359f..bb29358 100644 --- a/httpd/server_http.c +++ b/httpd/server_http.c @@ -1,4 +1,4 @@ -/* $OpenBSD: server_http.c,v 1.91 2015/07/18 06:00:43 reyk Exp $ */ +/* $OpenBSD: server_http.c,v 1.96 2015/07/31 00:10:51 benno Exp $ */ /* * Copyright (c) 2006 - 2015 Reyk Floeter <reyk@openbsd.org> @@ -742,6 +742,7 @@ server_abort_http(struct client *clt, u_int code, const char *msg) char *httpmsg, *body = NULL, *extraheader = NULL; char tmbuf[32], hbuf[128], *hstsheader = NULL; char buf[IBUF_READ_SIZE]; + char *escapedmsg = NULL; int bodylen; if (code == 0) { @@ -782,8 +783,12 @@ server_abort_http(struct client *clt, u_int code, const char *msg) msg = buf; break; case 401: - if (asprintf(&extraheader, - "WWW-Authenticate: Basic realm=\"%s\"\r\n", msg) == -1) { + if (stravis(&escapedmsg, msg, VIS_DQ) == -1) { + code = 500; + extraheader = NULL; + } else if (asprintf(&extraheader, + "WWW-Authenticate: Basic realm=\"%s\"\r\n", escapedmsg) + == -1) { code = 500; extraheader = NULL; } @@ -806,6 +811,8 @@ server_abort_http(struct client *clt, u_int code, const char *msg) break; } + free(escapedmsg); + /* A CSS stylesheet allows minimal customization by the user */ style = "body { background-color: white; color: black; font-family: " "'Comic Sans MS', 'Chalkboard SE', 'Comic Neue', sans-serif; }\n" @@ -829,9 +836,11 @@ server_abort_http(struct client *clt, u_int code, const char *msg) if (srv_conf->flags & SRVFLAG_SERVER_HSTS) { if (asprintf(&hstsheader, "Strict-Transport-Security: " - "max-age=%d%s\r\n", srv_conf->hsts_max_age, - srv_conf->hsts_subdomains == 0 ? "" : - " ; includeSubDomains") == -1) + "max-age=%d%s%s\r\n", srv_conf->hsts_max_age, + srv_conf->hsts_flags & HSTSFLAG_SUBDOMAINS ? + "; includeSubDomains" : "", + srv_conf->hsts_flags & HSTSFLAG_PRELOAD ? + "; preload" : "") == -1) goto done; } @@ -1235,7 +1244,7 @@ server_response_http(struct client *clt, u_int code, return (-1); /* Add error codes */ - if (kv_setkey(&resp->http_pathquery, "%lu", code) == -1 || + if (kv_setkey(&resp->http_pathquery, "%u", code) == -1 || kv_set(&resp->http_pathquery, "%s", error) == -1) return (-1); @@ -1272,9 +1281,11 @@ server_response_http(struct client *clt, u_int code, if ((cl = kv_add(&resp->http_headers, "Strict-Transport-Security", NULL)) == NULL || - kv_set(cl, "max-age=%d%s", srv_conf->hsts_max_age, - srv_conf->hsts_subdomains == 0 ? "" : - " ; includeSubDomains") == -1) + kv_set(cl, "max-age=%d%s%s", srv_conf->hsts_max_age, + srv_conf->hsts_flags & HSTSFLAG_SUBDOMAINS ? + "; includeSubDomains" : "", + srv_conf->hsts_flags & HSTSFLAG_PRELOAD ? + "; preload" : "") == -1) return (-1); } |