Submitted by: Mark Cox <mjc apache.org>
Reviewed by: jorton, mjc, fielding
PR: 37874
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/1.3.x@356278
13f79535-47bb-0310-9956-
ffa450edef68
Changes with Apache 1.3.35
+ *) SECURITY: CVE-2005-3352 (cve.mitre.org)
+ mod_imap: Escape untrusted referer header before outputting in HTML
+ to avoid potential cross-site scripting. Change also made to
+ ap_escape_html so we escape quotes. Reported by JPCERT.
+ [Mark Cox]
+
*) mod_cgi: Remove block on OPTIONS method so that scripts can
respond to OPTIONS directly rather than via server default.
[Roy Fielding] PR 15242
j += 3;
else if (s[i] == '&')
j += 4;
+ else if (s[i] == '"')
+ j += 5;
if (j == 0)
return ap_pstrndup(p, s, i);
memcpy(&x[j], "&", 5);
j += 4;
}
+ else if (s[i] == '"') {
+ memcpy(&x[j], """, 6);
+ j += 5;
+ }
else
x[j] = s[i];
if (!strcasecmp(value, "referer")) {
referer = ap_table_get(r->headers_in, "Referer");
if (referer && *referer) {
- return ap_pstrdup(r->pool, referer);
+ return ap_escape_html(r->pool, referer);
}
else {
/* XXX: This used to do *value = '\0'; ... which is totally bogus
projects / thirdparty / apache / httpd.git / commitdiff
