Fix moderate security issue CVE-2005-3352 mod_imap cross-site scripting flaw

author Mark J. Cox <mjc@apache.org>

Mon, 12 Dec 2005 17:27:59 +0000 (17:27 +0000)

committer Mark J. Cox <mjc@apache.org>

Mon, 12 Dec 2005 17:27:59 +0000 (17:27 +0000)
author Mark J. Cox <mjc@apache.org>
Mon, 12 Dec 2005 17:27:59 +0000 (17:27 +0000)
committer Mark J. Cox <mjc@apache.org>
Mon, 12 Dec 2005 17:27:59 +0000 (17:27 +0000)
diff --git a/CHANGES b/CHANGES

index fb864f68412ff7c2da29acb0b2160bb89890eae6..d01d063fac780f08d0df4b43edbc6dfab490dab0 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -1,6 +1,12 @@
                                                          -*- coding: utf-8 -*-
  Changes with Apache 2.2.1
  
+  *) SECURITY: CVE-2005-3352 (cve.mitre.org)
+     mod_imap: Escape untrusted referer header before outputting in HTML
+     to avoid potential cross-site scripting.  Change also made to
+     ap_escape_html so we escape quotes.  Reported by JPCERT.
+     [Mark Cox]
+
    *) Fix syntax error in httpd.h with strict compilers.  PR 38740.
       [Per Olausson <pao darkheim.freeserve.co.uk>]
  
diff --git a/modules/mappers/mod_imagemap.c b/modules/mappers/mod_imagemap.c

index 2bbdef54cc6e35b9ba4dbec4093e49053f25d9fa..b6637fa62a8f3dd87a540e5deb807be530664fb3 100644 (file)
--- a/modules/mappers/mod_imagemap.c
+++ b/modules/mappers/mod_imagemap.c
@@ -342,7 +342,7 @@ static char *imap_url(request_rec *r, const char *base, const char *value)
      if (!strcasecmp(value, "referer")) {
          referer = apr_table_get(r->headers_in, "Referer");
          if (referer && *referer) {
-            return apr_pstrdup(r->pool, referer);
+            return apr_escape_html(r->pool, referer);
          }
          else {
              /* XXX:  This used to do *value = '\0'; ... which is totally bogus
diff --git a/server/util.c b/server/util.c

index 0d9acf948e9828cd7967e04318d607e0331fa9e4..36dfc0f3cdd3209fcc8144bf4d4ca87d40b59a54 100644 (file)
--- a/server/util.c
+++ b/server/util.c
@@ -1748,6 +1748,8 @@ AP_DECLARE(char *) ap_escape_html(apr_pool_t *p, const char *s)
              j += 3;
          else if (s[i] == '&')
              j += 4;
+        else if (s[i] == '"')
+            j += 5;
  
      if (j == 0)
          return apr_pstrmemdup(p, s, i);
@@ -1766,6 +1768,10 @@ AP_DECLARE(char *) ap_escape_html(apr_pool_t *p, const char *s)
              memcpy(&x[j], "&amp;", 5);
              j += 4;
          }
+        else if (s[i] == '"') {
+            memcpy(&x[j], "&quot;", 6);
+            j += 5;
+        }
          else
              x[j] = s[i];
author	Mark J. Cox <mjc@apache.org>
	Mon, 12 Dec 2005 17:27:59 +0000 (17:27 +0000)
committer	Mark J. Cox <mjc@apache.org>
	Mon, 12 Dec 2005 17:27:59 +0000 (17:27 +0000)
CHANGES		patch \| blob \| blame \| history
modules/mappers/mod_imagemap.c		patch \| blob \| blame \| history
server/util.c		patch \| blob \| blame \| history