Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

x/net/webdav: displayname is not escaped #17158

Closed
bancek opened this issue Sep 19, 2016 · 3 comments
Closed

x/net/webdav: displayname is not escaped #17158

bancek opened this issue Sep 19, 2016 · 3 comments
Labels
FrozenDueToAge
Milestone
Unreleased

Comments

@bancek
Copy link

bancek commented Sep 19, 2016

What version of Go are you using (go version)?

go version go1.7.1 linux/amd64

What operating system and processor architecture are you using (go env)?

GOARCH="amd64"
GOBIN=""
GOEXE=""
GOHOSTARCH="amd64"
GOHOSTOS="linux"
GOOS="linux"
GOPATH="/go"
GORACE=""
GOROOT="/usr/local/go"
GOTOOLDIR="/usr/local/go/pkg/tool/linux_amd64"
CC="gcc"
GOGCCFLAGS="-fPIC -m64 -pthread -fmessage-length=0 -fdebug-prefix-map=/tmp/go-build168478790=/tmp/go-build -gno-record-gcc-switches"
CXX="g++"
CGO_ENABLED="1"

What did you do?

go run src/golang.org/x/net/webdav/litmus_test_server.go
curl http://localhost:9999/%3C -X PROPFIND -X MKCOL
curl http://localhost:9999/%3C -X PROPFIND -H "Depth: 0"

What did you expect to see?

<?xml version="1.0" encoding="UTF-8"?>
<D:multistatus xmlns:D="DAV:">
  <D:response>
    <D:href>/%3C</D:href>
    <D:propstat>
      <D:prop>
        <D:getlastmodified>Mon, 19 Sep 2016 12:08:16 GMT</D:getlastmodified>
        <D:supportedlock>
          <D:lockentry xmlns:D="DAV:">
            <D:lockscope>
              <D:exclusive/>
            </D:lockscope>
            <D:locktype>
              <D:write/>
            </D:locktype>
          </D:lockentry>
        </D:supportedlock>
        <D:resourcetype>
          <D:collection xmlns:D="DAV:"/>
        </D:resourcetype>
        <D:displayname>&lt;</D:displayname>
      </D:prop>
      <D:status>HTTP/1.1 200 OK</D:status>
    </D:propstat>
  </D:response>
</D:multistatus>

What did you see instead?

<?xml version="1.0" encoding="UTF-8"?>
<D:multistatus xmlns:D="DAV:">
  <D:response>
    <D:href>/%3C</D:href>
    <D:propstat>
      <D:prop>
        <D:getlastmodified>Mon, 19 Sep 2016 12:08:16 GMT</D:getlastmodified>
        <D:supportedlock>
          <D:lockentry xmlns:D="DAV:">
            <D:lockscope>
              <D:exclusive/>
            </D:lockscope>
            <D:locktype>
              <D:write/>
            </D:locktype>
          </D:lockentry>
        </D:supportedlock>
        <D:resourcetype>
          <D:collection xmlns:D="DAV:"/>
        </D:resourcetype>
        <D:displayname><</D:displayname>
      </D:prop>
      <D:status>HTTP/1.1 200 OK</D:status>
    </D:propstat>
  </D:response>
</D:multistatus>

Proposed fix:
koofr/go-webdav@512e9d6
@bradfitz
Copy link
Contributor

Thanks for the report! We can only accept fixes to Go via Gerrit, though. See https://golang.org/doc/contribute.html

@bradfitz bradfitz added this to the Unreleased milestone Sep 19, 2016
@bancek
Copy link
Author

bancek commented Sep 19, 2016

https://go-review.googlesource.com/#/c/29297/

@gopherbot
Copy link
Contributor

CL https://golang.org/cl/29297 mentions this issue.

@golang golang locked and limited conversation to collaborators Oct 22, 2017
dt-eric-lefevreardant pushed a commit to DiliTrust/go-webdav that referenced this issue Mar 11, 2025
@bancek @nigeltao
webdav: escape displayname
b900c95 
Displayname WebDAV property should be XML escaped. With current
implementation a file with name '<.txt' would make the XML
invalid.

Fixes golang/go#17158

Change-Id: Ib3b5376094edc957ed15adf511bd1050ea13d27e
Reviewed-on: https://go-review.googlesource.com/29297
Reviewed-by: Nigel Tao <nigeltao@golang.org>
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
FrozenDueToAge
Projects
None yet
Milestone
Unreleased
Development

No branches or pull requests
3 participants
@bradfitz @bancek @gopherbot