From: Mark J. Cox Date: Mon, 12 Dec 2005 17:27:59 +0000 (+0000) Subject: Fix moderate security issue CVE-2005-3352 mod_imap cross-site scripting flaw X-Git-Tag: 2.2.1~190 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=245c5818aef62eac2f7a6d21941111af738f552c;p=thirdparty%2Fapache%2Fhttpd.git Fix moderate security issue CVE-2005-3352 mod_imap cross-site scripting flaw Submitted by: Mark Cox Reviewed by: jorton, mjc, fielding PR: 37874 git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.2.x@356291 13f79535-47bb-0310-9956-ffa450edef68 --- diff --git a/CHANGES b/CHANGES index fb864f68412..d01d063fac7 100644 --- a/CHANGES +++ b/CHANGES @@ -1,6 +1,12 @@ -*- coding: utf-8 -*- Changes with Apache 2.2.1 + *) SECURITY: CVE-2005-3352 (cve.mitre.org) + mod_imap: Escape untrusted referer header before outputting in HTML + to avoid potential cross-site scripting. Change also made to + ap_escape_html so we escape quotes. Reported by JPCERT. + [Mark Cox] + *) Fix syntax error in httpd.h with strict compilers. PR 38740. [Per Olausson ] diff --git a/modules/mappers/mod_imagemap.c b/modules/mappers/mod_imagemap.c index 2bbdef54cc6..b6637fa62a8 100644 --- a/modules/mappers/mod_imagemap.c +++ b/modules/mappers/mod_imagemap.c @@ -342,7 +342,7 @@ static char *imap_url(request_rec *r, const char *base, const char *value) if (!strcasecmp(value, "referer")) { referer = apr_table_get(r->headers_in, "Referer"); if (referer && *referer) { - return apr_pstrdup(r->pool, referer); + return apr_escape_html(r->pool, referer); } else { /* XXX: This used to do *value = '\0'; ... which is totally bogus diff --git a/server/util.c b/server/util.c index 0d9acf948e9..36dfc0f3cdd 100644 --- a/server/util.c +++ b/server/util.c @@ -1748,6 +1748,8 @@ AP_DECLARE(char *) ap_escape_html(apr_pool_t *p, const char *s) j += 3; else if (s[i] == '&') j += 4; + else if (s[i] == '"') + j += 5; if (j == 0) return apr_pstrmemdup(p, s, i); @@ -1766,6 +1768,10 @@ AP_DECLARE(char *) ap_escape_html(apr_pool_t *p, const char *s) memcpy(&x[j], "&", 5); j += 4; } + else if (s[i] == '"') { + memcpy(&x[j], """, 6); + j += 5; + } else x[j] = s[i];