From 90521799bdb923df031e975021b7ce1d093fc4eb Mon Sep 17 00:00:00 2001 From: Joe Orton Date: Fri, 16 Dec 2005 14:27:47 +0000 Subject: [PATCH] Bring forward the fix for CVE-2005-3352 already on the branches: * modules/mappers/mod_imagemap.c (imap_url): Escape the referer. * server/util.c (ap_escape_html): Escape the " character. Submitted by: mjc Reviewed by: fielding, jorton git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@357161 13f79535-47bb-0310-9956-ffa450edef68 --- modules/mappers/mod_imagemap.c | 2 +- server/util.c | 6 ++++++ 2 files changed, 7 insertions(+), 1 deletion(-) diff --git a/modules/mappers/mod_imagemap.c b/modules/mappers/mod_imagemap.c index 2bbdef54cc6..9bf8c1659f1 100644 --- a/modules/mappers/mod_imagemap.c +++ b/modules/mappers/mod_imagemap.c @@ -342,7 +342,7 @@ static char *imap_url(request_rec *r, const char *base, const char *value) if (!strcasecmp(value, "referer")) { referer = apr_table_get(r->headers_in, "Referer"); if (referer && *referer) { - return apr_pstrdup(r->pool, referer); + return ap_escape_html(r->pool, referer); } else { /* XXX: This used to do *value = '\0'; ... which is totally bogus diff --git a/server/util.c b/server/util.c index 0d9acf948e9..36dfc0f3cdd 100644 --- a/server/util.c +++ b/server/util.c @@ -1748,6 +1748,8 @@ AP_DECLARE(char *) ap_escape_html(apr_pool_t *p, const char *s) j += 3; else if (s[i] == '&') j += 4; + else if (s[i] == '"') + j += 5; if (j == 0) return apr_pstrmemdup(p, s, i); @@ -1766,6 +1768,10 @@ AP_DECLARE(char *) ap_escape_html(apr_pool_t *p, const char *s) memcpy(&x[j], "&", 5); j += 4; } + else if (s[i] == '"') { + memcpy(&x[j], """, 6); + j += 5; + } else x[j] = s[i]; -- 2.47.2