From 513b3863d999f91b47d7e9f26710390db55f9463 Mon Sep 17 00:00:00 2001
From: "Jason A. Donenfeld" <Jason@zx2c4.com>
Date: Thu, 14 Jan 2016 14:28:37 +0100
Subject: ui-shared: prevent malicious filename from injecting headers

---
 html.c      | 26 ++++++++++++++++++++++++++
 html.h      |  1 +
 ui-shared.c |  8 +++++---
 3 files changed, 32 insertions(+), 3 deletions(-)

diff --git a/html.c b/html.c
index 959148c..d89df3a 100644
--- a/html.c
+++ b/html.c
@@ -239,6 +239,32 @@ void html_url_arg(const char *txt)
 		html(txt);
 }
 
+void html_header_arg_in_quotes(const char *txt)
+{
+	const char *t = txt;
+	while (t && *t) {
+		unsigned char c = *t;
+		const char *e = NULL;
+		if (c == '\\')
+			e = "\\\\";
+		else if (c == '\r')
+			e = "\\r";
+		else if (c == '\n')
+			e = "\\n";
+		else if (c == '"')
+			e = "\\\"";
+		if (e) {
+			html_raw(txt, t - txt);
+			html(e);
+			txt = t + 1;
+		}
+		t++;
+	}
+	if (t != txt)
+		html(txt);
+
+}
+
 void html_hidden(const char *name, const char *value)
 {
 	html("<input type='hidden' name='");
diff --git a/html.h b/html.h
index c554763..c72e845 100644
--- a/html.h
+++ b/html.h
@@ -23,6 +23,7 @@ extern void html_ntxt(int len, const char *txt);
 extern void html_attr(const char *txt);
 extern void html_url_path(const char *txt);
 extern void html_url_arg(const char *txt);
+extern void html_header_arg_in_quotes(const char *txt);
 extern void html_hidden(const char *name, const char *value);
 extern void html_option(const char *value, const char *text, const char *selected_value);
 extern void html_intoption(int value, const char *text, int selected_value);
diff --git a/ui-shared.c b/ui-shared.c
index 21f581f..54bbde7 100644
--- a/ui-shared.c
+++ b/ui-shared.c
@@ -692,9 +692,11 @@ void cgit_print_http_headers(void)
 		htmlf("Content-Type: %s\n", ctx.page.mimetype);
 	if (ctx.page.size)
 		htmlf("Content-Length: %zd\n", ctx.page.size);
-	if (ctx.page.filename)
-		htmlf("Content-Disposition: inline; filename=\"%s\"\n",
-		      ctx.page.filename);
+	if (ctx.page.filename) {
+		html("Content-Disposition: inline; filename=\"");
+		html_header_arg_in_quotes(ctx.page.filename);
+		html("\"\n");
+	}
 	if (!ctx.env.authenticated)
 		html("Cache-Control: no-cache, no-store\n");
 	htmlf("Last-Modified: %s\n", http_date(ctx.page.modified));
-- 
cgit 1.4.1

log/tests?id=9c70c0bfdb71b39f6bae6e0c77bbe40b22d64ff5&amp;follow=1'>tests</a>/<a href='/cgit-pink/log/tests/filters?id=9c70c0bfdb71b39f6bae6e0c77bbe40b22d64ff5&amp;follow=1'>filters</a>/<a href='/cgit-pink/log/tests/filters/dump.sh?id=9c70c0bfdb71b39f6bae6e0c77bbe40b22d64ff5&amp;follow=1'>dump.sh</a> (<a href='/cgit-pink/log/tests/filters/dump.sh?id=9c70c0bfdb71b39f6bae6e0c77bbe40b22d64ff5'>unfollow</a>)</div><div class='content'><table class='list nowrap'><tr class='nohover'><th></th><th class='left'>Commit message (<a href='/cgit-pink/log/tests/filters/dump.sh?id=9c70c0bfdb71b39f6bae6e0c77bbe40b22d64ff5&amp;showmsg=1&amp;follow=1'>Expand</a>)</th><th class='left'>Author</th></tr>
<tr><td><span title='2015-08-14 15:46:51 +0200'>2015-08-14</span></td><td><a href='/cgit-pink/commit/ui-tag.c?id=696a33b66f8638d5c3e0464d66760c6d60ff24a5&amp;follow=1'>tag: move layout into page function</a></td><td>John Keeping</td></tr>
<tr><td><span title='2015-08-14 15:46:51 +0200'>2015-08-14</span></td><td><a href='/cgit-pink/commit/ui-summary.c?id=a3daa41b78fc2c528c9a42630ab95451ddb87358&amp;follow=1'>summary: move layout into page function</a></td><td>John Keeping</td></tr>
<tr><td><span title='2015-08-14 15:46:51 +0200'>2015-08-14</span></td><td><a href='/cgit-pink/commit/ui-stats.c?id=892c5441f4af2f53a3b1906c4d7e458829e0cf0a&amp;follow=1'>stats: move layout into page function</a></td><td>John Keeping</td></tr>
<tr><td><span title='2015-08-14 15:46:51 +0200'>2015-08-14</span></td><td><a href='/cgit-pink/commit/ui-refs.c?id=6d39dd1914dd0a904c606b079e8ef0f1643f2266&amp;follow=1'>refs: move layout to page function</a></td><td>John Keeping</td></tr>
<tr><td><span title='2015-08-14 15:46:51 +0200'>2015-08-14</span></td><td><a href='/cgit-pink/commit/ui-log.c?id=23c17d8ff01b96619bc1f71274cb44f1425e10f4&amp;follow=1'>log: move layout into page function</a></td><td>John Keeping</td></tr>
<tr><td><span title='2015-08-14 15:46:51 +0200'>2015-08-14</span></td><td><a href='/cgit-pink/commit/ui-diff.c?id=3b220eb22ded98851ca9dee7c3c3e3b0fd02c49b&amp;follow=1'>diff: move layout to page function</a></td><td>John Keeping</td></tr>
<tr><td><span title='2015-08-14 15:46:51 +0200'>2015-08-14</span></td><td><a href='/cgit-pink/commit/ui-commit.c?id=c53a15c77a6763b4d6fefb033923ba7493b884a2&amp;follow=1'>commit: move layout into page function</a></td><td>John Keeping</td></tr>
<tr><td><span title='2015-08-14 15:46:51 +0200'>2015-08-14</span></td><td><a href='/cgit-pink/commit/ui-summary.c?id=51d9176e4bb5c619481355c6b895c6dec30c4f82&amp;follow=1'>about: move layout into page functions</a></td><td>John Keeping</td></tr>
<tr><td><span title='2015-08-14 15:46:51 +0200'>2015-08-14</span></td><td><a href='/cgit-pink/commit/ui-shared.h?id=764987980ec0e806205b8e075feafd4e010dcbd9&amp;follow=1'>ui-shared: add cgit_print_layout_{start,end}()</a></td><td>John Keeping</td></tr>
<tr><td><span title='2015-08-14 15:46:51 +0200'>2015-08-14</span></td><td><a href='/cgit-pink/commit/html.h?id=fb2c71fad23f4f13f56f74a8b79907805ab1b772&amp;follow=1'>html: remove html_status()</a></td><td>John Keeping</td></tr>
<tr><td><span title='2015-08-14 15:46:51 +0200'>2015-08-14</span></td><td><a href='/cgit-pink/commit/ui-snapshot.c?id=fd00e71ab7cf1eabd8d1fc2e5980055350849034&amp;follow=1'>snapshot: don't reimplement cgit_print_error_page()</a></td><td>John Keeping</td></tr>
<tr><td><span title='2015-08-14 15:46:51 +0200'>2015-08-14</span></td><td><a href='/cgit-pink/commit/ui-snapshot.c?id=58e827cbd9811500f72bf25b1db569b208661618&amp;follow=1'>snapshot: use cgit_print_error_page() for HTTP status codes</a></td><td>John Keeping</td></tr>
<tr><td><span title='2015-08-14 15:46:51 +0200'>2015-08-14</span></td><td><a href='/cgit-pink/commit/ui-patch.c?id=e3e41e5125b1ce270b5afb42beb83e14c0f350cb&amp;follow=1'>patch: use cgit_print_error_page() for HTTP status codes</a></td><td>John Keeping</td></tr>
<tr><td><span title='2015-08-14 15:46:51 +0200'>2015-08-14</span></td><td><a href='/cgit-pink/commit/ui-blob.c?id=9a06211daacd2fff14c6211bfc8bad856694f0f9&amp;follow=1'>blob: use cgit_print_error_page() to add HTTP headers</a></td><td>John Keeping</td></tr>
<tr><td><span title='2015-08-14 15:46:51 +0200'>2015-08-14</span></td><td><a href='/cgit-pink/commit/ui-snapshot.c?id=048f195eaf2fedb56987f0c8c89b9fd46375aa87&amp;follow=1'>snapshot: use cgit_print_error_page() instead of html_status()</a></td><td>John Keeping</td></tr>
<tr><td><span title='2015-08-14 15:46:51 +0200'>2015-08-14</span></td><td><a href='/cgit-pink/commit/ui-plain.c?id=2b3e76a9f95c50f55be70dbb1cfa029f5165a535&amp;follow=1'>plain: use cgit_print_error_page() instead of html_status()</a></td><td>John Keeping</td></tr>
<tr><td><span title='2015-08-14 15:46:51 +0200'>2015-08-14</span></td><td><a href='/cgit-pink/commit/ui-clone.c?id=329381dfe45d37cb94847ee92ebe58f2d6c02a9d&amp;follow=1'>clone: use cgit_print_error_page() instead of html_status()</a></td><td>John Keeping</td></tr>
<tr><td><span title='2015-08-14 15:46:51 +0200'>2015-08-14</span></td><td><a href='/cgit-pink/commit/cgit.c?id=e9b71ae6fe910573156c4632a314b7dbf84d7b64&amp;follow=1'>cgit: use cgit_print_error_page() where appropriate</a></td><td>John Keeping</td></tr>
<tr><td><span title='2015-08-14 15:46:51 +0200'>2015-08-14</span></td><td><a href='/cgit-pink/commit/ui-shared.h?id=aec1204a54e3baa12c76db75c2f67696def05eb0&amp;follow=1'>ui-shared: add cgit_print_error_page() function</a></td><td>John Keeping</td></tr>
<tr><td><span title='2015-08-14 12:35:25 +0200'>2015-08-14</span></td><td><a href='/cgit-pink/commit/ui-patch.c?id=aa12084f9835783abbd1f1e4609f8de05e73cec4&amp;follow=1'>ui-patch: make sure to send http headers</a></td><td>Christian Hesse</td></tr>
<tr><td><span title='2015-08-13 17:05:12 +0200'>2015-08-13</span></td><td><a href='/cgit-pink/commit/Makefile?id=c543d7dbf6bf7c8be5af829bf1d3eab494856ee0&amp;follow=1'>Makefile: make "git/config.mak.uname" inclusion optional</a></td><td>John Keeping</td></tr>
<tr><td><span title='2015-08-13 15:40:27 +0200'>2015-08-13</span></td><td><a href='/cgit-pink/commit/ui-shared.c?id=a360666df3cfcd1b384cd66b18803d72e3893b3d&amp;follow=1'>ui-shared: show full date in tooltip if longer ago than max_relative</a></td><td>John Keeping</td></tr>
<tr><td><span title='2015-08-13 15:40:12 +0200'>2015-08-13</span></td><td><a href='/cgit-pink/commit/ui-shared.c?id=b44dd95f13f039cd9bee301655150ff765d9555e&amp;follow=1'>ui-shared: use common function in print_rel_date()</a></td><td>John Keeping</td></tr>
<tr><td><span title='2015-08-13 15:39:59 +0200'>2015-08-13</span></td><td><a href='/cgit-pink/commit/ui-shared.c?id=f03e3cb8a5c6b597b87321e1f082d3ab177e8baa&amp;follow=1'>ui-shared: extract date formatting to a function</a></td><td>John Keeping</td></tr>
<tr><td><span title='2015-08-13 15:39:06 +0200'>2015-08-13</span></td><td><a href='/cgit-pink/commit/filter.c?id=0c4d76755b98bb597279a1930bf4c69eca7dde62&amp;follow=1'>filter: don't use dlsym unnecessarily</a></td><td>John Keeping</td></tr>
<tr><td><span title='2015-08-13 15:38:35 +0200'>2015-08-13</span></td><td><a href='/cgit-pink/commit/ui-tree.c?id=7105a78b17b118866aee77735e26cffcd1fd08fd&amp;follow=1'>ui-tree: use "sane" isgraph()</a></td><td>John Keeping</td></tr>
<tr><td><span title='2015-08-13 15:38:03 +0200'>2015-08-13</span></td><td><a href='/cgit-pink/commit/ui-shared.h?id=e09574bdf6cfbd21ff0a58a18f34d4a11db824d7&amp;follow=1'>cgit.h: move stdbool.h from ui-shared.h</a></td><td>John Keeping</td></tr>
<tr><td><span title='2015-08-13 15:37:42 +0200'>2015-08-13</span></td><td><a href='/cgit-pink/commit/cache.c?id=43620cf6aa62decaf319d00c28297e3b87a4da78&amp;follow=1'>cache.c: fix header order</a></td><td>John Keeping</td></tr>
<tr><td><span title='2015-08-13 15:37:28 +0200'>2015-08-13</span></td><td><a href='/cgit-pink/commit/configfile.c?id=f2e8ca806d43acbfd9bef53f1a3ee5ce95ff32e7&amp;follow=1'>configfile.c: don't include system headers directly</a></td><td>John Keeping</td></tr>
<tr><td><span title='2015-08-13 15:36:53 +0200'>2015-08-13</span></td><td><a href='/cgit-pink/commit/ui-summary.c?id=157f544ac2149a985b0f62e9381a759c0ae252ec&amp;follow=1'>Remove redundant includes</a></td><td>John Keeping</td></tr>
<tr><td><span title='2015-08-13 15:36:37 +0200'>2015-08-13</span></td><td><a href='/cgit-pink/commit/Makefile?id=0393102249c30f62c8f061062bc4a9ba962b6910&amp;follow=1'>Makefile: include Git's config.mak.uname</a></td><td>John Keeping</td></tr>
<tr><td><span title='2015-08-13 15:36:18 +0200'>2015-08-13</span></td><td><a href='/cgit-pink/commit/tests/Makefile?id=2ef4edee19c3f935dfffc3e0f4a56f5e2f183fa4&amp;follow=1'>tests: allow shell to be overridden</a></td><td>John Keeping</td></tr>
<tr><td><span title='2015-08-13 11:39:23 +0200'>2015-08-13</span></td><td><a href='/cgit-pink/commit/ui-shared.c?id=c0b59823035efc136a82a96094d164a979d9b2e9&amp;follow=1'>redirect: cleanliness</a></td><td>Jason A. Donenfeld</td></tr>
<tr><td><span title='2015-08-13 11:39:20 +0200'>2015-08-13</span></td><td><a href='/cgit-pink/commit/cmd.c?id=622e64d5f2c56543f56438cb7a705c9023bec269&amp;follow=1'>redirect: be more careful for different cgi setups</a></td><td>Jason A. Donenfeld</td></tr>
<tr><td><span title='2015-08-12 17:43:08 +0200'>2015-08-12</span></td><td><a href='/cgit-pink/commit/ui-log.c?id=da1d4c77760ff6a0eb5cbfbaf6956930089d1963&amp;follow=1'>ui-log: fix double counting</a></td><td>John Keeping</td></tr>
<tr><td><span title='2015-08-12 16:57:46 +0200'>2015-08-12</span></td><td><a href='/cgit-pink/commit/ui-tree.c?id=30304d8156a72ffc95e45e1aa9407319b81bd253&amp;follow=1'>log: allow users to follow a file</a></td><td>John Keeping</td></tr>
<tr><td><span title='2015-08-12 16:57:30 +0200'>2015-08-12</span></td><td><a href='/cgit-pink/commit/shared.c?id=044e2d26da4f8b4f9ff25e4a729ab4e393073b5e&amp;follow=1'>shared: make cgit_diff_tree_cb public</a></td><td>John Keeping</td></tr>
<tr><td><span title='2015-08-12 15:16:05 +0200'>2015-08-12</span></td><td><a href='/cgit-pink/commit/tests/t0110-rawdiff.sh?id=2d386e227e0b75474efcfe82e9fec7d0f21c6df4&amp;follow=1'>t0110: Chain together using &amp;&amp;</a></td><td>Jason A. Donenfeld</td></tr>
<tr><td><span title='2015-08-12 15:03:32 +0200'>2015-08-12</span></td><td><a href='/cgit-pink/commit/ui-shared.h?id=d7034806a4b1279f62d606501f831dcad31798e6&amp;follow=1'>about: always ensure page has a trailing slash</a></td><td>Jason A. Donenfeld</td></tr>
<tr><td><span title='2015-08-12 14:13:44 +0200'>2015-08-12</span></td><td><a href='/cgit-pink/commit/filters/html-converters/txt2html?id=13c2d3df0440ce04273de3149631a9bd97490c6e&amp;follow=1'>filters: apply HTML escaping</a></td><td>Lazaros Koromilas</td></tr>
<tr><td><span title='2015-08-12 14:09:05 +0200'>2015-08-12</span></td><td><a href='/cgit-pink/commit/ui-shared.c?id=de83de276bef7509ab8255682595ad4521f3a193&amp;follow=1'>git: update to v2.5.0</a></td><td>Christian Hesse</td></tr>
<tr><td><span title='2015-08-12 14:08:15 +0200'>2015-08-12</span></td><td><a href='/cgit-pink/commit/cgit.c?id=dc41a0018058c81ee9a0a2dc6e89f737d7c1c966&amp;follow=1'>Fix processing of repo.hide and repo.ignore</a></td><td>Daniel Reichelt