Fix moderate security issue CVE-2005-3352 mod_imap cross-site scripting flaw

Submitted by: Mark Cox <mjc apache.org>
Reviewed by: jorton, mjc, fielding
PR: 37874

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.0.x@356279 13f79535-47bb-0310-9956-ffa450edef68

diff --git a/CHANGES b/CHANGES
index ae7aa659102d330acefaf8b6b1c556e5456a3f2a..2b9f6881e763d7a22f3e76f584e98141892236bf 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -1,6 +1,12 @@
                                                          -*- coding: utf-8 -*-
 Changes with Apache 2.0.56
 
+  *) SECURITY: CVE-2005-3352 (cve.mitre.org)
+     mod_imap: Escape untrusted referer header before outputting in HTML
+     to avoid potential cross-site scripting.  Change also made to
+     ap_escape_html so we escape quotes.  Reported by JPCERT.
+     [Mark Cox]
+
   *) mod_cgi(d): Remove block on OPTIONS method so that scripts can
      respond to OPTIONS directly rather than via server default.
      [Roy Fielding] PR 15242

diff --git a/modules/mappers/mod_imap.c b/modules/mappers/mod_imap.c
index d5f2a955adbeef6ba9a18cc36fe14b17707fd9d3..c822a6056f215267017ad88bed3d83ea9d480286 100644 (file)
--- a/modules/mappers/mod_imap.c
+++ b/modules/mappers/mod_imap.c
@@ -342,7 +342,7 @@ static char *imap_url(request_rec *r, const char *base, const char *value)
     if (!strcasecmp(value, "referer")) {
         referer = apr_table_get(r->headers_in, "Referer");
         if (referer && *referer) {
-           return apr_pstrdup(r->pool, referer);
+           return ap_escape_html(r->pool, referer);
         }
         else {
            /* XXX:  This used to do *value = '\0'; ... which is totally bogus

diff --git a/server/util.c b/server/util.c
index aa747e3450aee613eed690e812de07478a6c482c..29139b2b06816a9eab6ae5869567b3cf831e0ca7 100644 (file)
--- a/server/util.c
+++ b/server/util.c
@@ -1762,6 +1762,8 @@ AP_DECLARE(char *) ap_escape_html(apr_pool_t *p, const char *s)
             j += 3;
         else if (s[i] == '&')
             j += 4;
+        else if (s[i] == '"')
+            j += 5;
 
     if (j == 0)
         return apr_pstrmemdup(p, s, i);
@@ -1780,6 +1782,10 @@ AP_DECLARE(char *) ap_escape_html(apr_pool_t *p, const char *s)
             memcpy(&x[j], "&", 5);
             j += 4;
         }
+        else if (s[i] == '"') {
+            memcpy(&x[j], """, 6);
+            j += 5;
+        }
         else
             x[j] = s[i];