From: Mark J. Cox <mjc@apache.org>
Date: Mon, 12 Dec 2005 16:36:54 +0000 (+0000)
Subject: Fix moderate security issue CVE-2005-3352 mod_imap cross-site scripting flaw
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=9c01a900184985d3e5dc37384500923bffcae9b8;p=thirdparty%2Fapache%2Fhttpd.git

Fix moderate security issue CVE-2005-3352 mod_imap cross-site scripting flaw

Submitted by: Mark Cox <mjc apache.org>
Reviewed by: jorton, mjc, fielding
PR: 37874


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/1.3.x@356278 13f79535-47bb-0310-9956-ffa450edef68
---

diff --git a/src/CHANGES b/src/CHANGES
index 94f42bd95a7..4e61abc32f1 100644
--- a/src/CHANGES
+++ b/src/CHANGES
@@ -1,5 +1,11 @@
 Changes with Apache 1.3.35
 
+  *) SECURITY: CVE-2005-3352 (cve.mitre.org)
+     mod_imap: Escape untrusted referer header before outputting in HTML
+     to avoid potential cross-site scripting.  Change also made to
+     ap_escape_html so we escape quotes.  Reported by JPCERT.
+     [Mark Cox]
+
   *) mod_cgi: Remove block on OPTIONS method so that scripts can
      respond to OPTIONS directly rather than via server default.
      [Roy Fielding] PR 15242
diff --git a/src/main/util.c b/src/main/util.c
index 5c6af6d4cef..b2c1f166f9b 100644
--- a/src/main/util.c
+++ b/src/main/util.c
@@ -1722,6 +1722,8 @@ API_EXPORT(char *) ap_escape_html(pool *p, const char *s)
 	    j += 3;
 	else if (s[i] == '&')
 	    j += 4;
+	else if (s[i] == '"')
+	    j += 5;
 
     if (j == 0)
 	return ap_pstrndup(p, s, i);
@@ -1740,6 +1742,10 @@ API_EXPORT(char *) ap_escape_html(pool *p, const char *s)
 	    memcpy(&x[j], "&amp;", 5);
 	    j += 4;
 	}
+	else if (s[i] == '"') {
+	    memcpy(&x[j], "&quot;", 6);
+	    j += 5;
+	}
 	else
 	    x[j] = s[i];
 
diff --git a/src/modules/standard/mod_imap.c b/src/modules/standard/mod_imap.c
index 4455fa42bc9..c9101c82ac3 100644
--- a/src/modules/standard/mod_imap.c
+++ b/src/modules/standard/mod_imap.c
@@ -328,7 +328,7 @@ static char *imap_url(request_rec *r, const char *base, const char *value)
     if (!strcasecmp(value, "referer")) {
         referer = ap_table_get(r->headers_in, "Referer");
         if (referer && *referer) {
-	    return ap_pstrdup(r->pool, referer);
+	    return ap_escape_html(r->pool, referer);
         }
         else {
 	    /* XXX:  This used to do *value = '\0'; ... which is totally bogus