From: Mark J. Cox Date: Mon, 12 Dec 2005 16:41:53 +0000 (+0000) Subject: Fix moderate security issue CVE-2005-3352 mod_imap cross-site scripting flaw X-Git-Tag: 2.0.56~116 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=29cf82f6e368b44dc37c5d628c39bc3ecedd7706;p=thirdparty%2Fapache%2Fhttpd.git Fix moderate security issue CVE-2005-3352 mod_imap cross-site scripting flaw Submitted by: Mark Cox Reviewed by: jorton, mjc, fielding PR: 37874 git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.0.x@356279 13f79535-47bb-0310-9956-ffa450edef68 --- diff --git a/CHANGES b/CHANGES index ae7aa659102..2b9f6881e76 100644 --- a/CHANGES +++ b/CHANGES @@ -1,6 +1,12 @@ -*- coding: utf-8 -*- Changes with Apache 2.0.56 + *) SECURITY: CVE-2005-3352 (cve.mitre.org) + mod_imap: Escape untrusted referer header before outputting in HTML + to avoid potential cross-site scripting. Change also made to + ap_escape_html so we escape quotes. Reported by JPCERT. + [Mark Cox] + *) mod_cgi(d): Remove block on OPTIONS method so that scripts can respond to OPTIONS directly rather than via server default. [Roy Fielding] PR 15242 diff --git a/modules/mappers/mod_imap.c b/modules/mappers/mod_imap.c index d5f2a955adb..c822a6056f2 100644 --- a/modules/mappers/mod_imap.c +++ b/modules/mappers/mod_imap.c @@ -342,7 +342,7 @@ static char *imap_url(request_rec *r, const char *base, const char *value) if (!strcasecmp(value, "referer")) { referer = apr_table_get(r->headers_in, "Referer"); if (referer && *referer) { - return apr_pstrdup(r->pool, referer); + return ap_escape_html(r->pool, referer); } else { /* XXX: This used to do *value = '\0'; ... which is totally bogus diff --git a/server/util.c b/server/util.c index aa747e3450a..29139b2b068 100644 --- a/server/util.c +++ b/server/util.c @@ -1762,6 +1762,8 @@ AP_DECLARE(char *) ap_escape_html(apr_pool_t *p, const char *s) j += 3; else if (s[i] == '&') j += 4; + else if (s[i] == '"') + j += 5; if (j == 0) return apr_pstrmemdup(p, s, i); @@ -1780,6 +1782,10 @@ AP_DECLARE(char *) ap_escape_html(apr_pool_t *p, const char *s) memcpy(&x[j], "&", 5); j += 4; } + else if (s[i] == '"') { + memcpy(&x[j], """, 6); + j += 5; + } else x[j] = s[i];