diff --git a/lg.py b/lg.py index 9b02328..c9695cb 100755 --- a/lg.py +++ b/lg.py @@ -29,7 +29,9 @@ from urllib import quote, unquote import json import random -from toolbox import mask_is_valid, ipv6_is_valid, ipv4_is_valid, resolve, save_cache_pickle, load_cache_pickle, get_asn_from_as +from toolbox import mask_is_valid, ipv6_is_valid, ipv4_is_valid, resolve, save_cache_pickle, load_cache_pickle, get_asn_from_as, unescape +from xml.sax.saxutils import escape + import pydot from flask import Flask, render_template, jsonify, redirect, session, request, abort, Response @@ -175,9 +177,12 @@ def incorrect_request(e): def page_not_found(e): return render_template('error.html', warning="The requested URL was not found on the server."), 404 +def sanitized(*args): + return tuple( unescape(s) for s in args) @app.route("/whois/") def whois(query): + query = sanitized(query) if not query.strip(): abort(400) @@ -200,6 +205,8 @@ SUMMARY_RE_MATCH = r"(?P[\w_]+)\s+(?P\w+)\s+(?P\w+)\s+(?P") @app.route("/summary//") def summary(hosts, proto="ipv4"): + hosts, proto = sanitized(hosts, proto) + set_session("summary", hosts, proto, "") command = "show protocols" @@ -229,6 +236,9 @@ def summary(hosts, proto="ipv4"): @app.route("/detail//") def detail(hosts, proto): name = request.args.get('q', '').strip() + + hosts, proto, name= sanitized(hosts, proto, name) + if not name: abort(400) @@ -251,6 +261,8 @@ def detail(hosts, proto): @app.route("/traceroute//") def traceroute(hosts, proto): q = request.args.get('q', '').strip() + hosts, proto, q = sanitized(hosts, proto, q) + if not q: abort(400) @@ -344,6 +356,7 @@ def show_bgpmap(): """return a bgp map in a png file, from the json tree in q argument""" data = request.args.get('q', '').strip() + #data = sanitized(data) if not data: abort(400) @@ -501,7 +514,8 @@ def build_as_tree_from_raw_bird_ouput(host, proto, text): def show_route(request_type, hosts, proto): - expression = unquote(request.args.get('q', '')).strip() + expression = request.args.get('q', '').strip() + request_type, hosts, proto, expression = sanitized(request_type, hosts, proto, expression) if not expression: abort(400) diff --git a/toolbox.py b/toolbox.py index 7c82f4c..1543b85 100644 --- a/toolbox.py +++ b/toolbox.py @@ -22,7 +22,7 @@ from dns import resolver import socket import pickle - +import xml.parsers.expat def resolve(n, q): return str(resolver.query(n,q)[0]) @@ -71,3 +71,29 @@ def load_cache_pickle(filename, default = None): pkl_file.close() return data +def unescape(s): + want_unicode = False + if isinstance(s, unicode): + s = s.encode("utf-8") + want_unicode = True + + # the rest of this assumes that `s` is UTF-8 + list = [] + + # create and initialize a parser object + p = xml.parsers.expat.ParserCreate("utf-8") + p.buffer_text = True + p.returns_unicode = want_unicode + p.CharacterDataHandler = list.append + + # parse the data wrapped in a dummy element + # (needed so the "document" is well-formed) + p.Parse("", 0) + p.Parse(s, 0) + p.Parse("", 1) + + # join the extracted strings and return + es = "" + if want_unicode: + es = u"" + return es.join(list)