httpd-cvs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From m..@apache.org
Subject svn commit: r356291 - in /httpd/httpd/branches/2.2.x: CHANGES modules/mappers/mod_imagemap.c server/util.c
Date Mon, 12 Dec 2005 17:28:09 GMT
Author: mjc
Date: Mon Dec 12 09:27:59 2005
New Revision: 356291

URL: http://svn.apache.org/viewcvs?rev=356291&view=rev
Log:
Fix moderate security issue CVE-2005-3352 mod_imap cross-site scripting flaw

Submitted by: Mark Cox <mjc apache.org>
Reviewed by: jorton, mjc, fielding
PR: 37874


Modified:
    httpd/httpd/branches/2.2.x/CHANGES
    httpd/httpd/branches/2.2.x/modules/mappers/mod_imagemap.c
    httpd/httpd/branches/2.2.x/server/util.c

Modified: httpd/httpd/branches/2.2.x/CHANGES
URL: http://svn.apache.org/viewcvs/httpd/httpd/branches/2.2.x/CHANGES?rev=356291&r1=356290&r2=356291&view=diff
==============================================================================
--- httpd/httpd/branches/2.2.x/CHANGES [utf-8] (original)
+++ httpd/httpd/branches/2.2.x/CHANGES [utf-8] Mon Dec 12 09:27:59 2005
@@ -1,6 +1,12 @@
                                                         -*- coding: utf-8 -*-
 Changes with Apache 2.2.1
 
+  *) SECURITY: CVE-2005-3352 (cve.mitre.org)
+     mod_imap: Escape untrusted referer header before outputting in HTML
+     to avoid potential cross-site scripting.  Change also made to
+     ap_escape_html so we escape quotes.  Reported by JPCERT.
+     [Mark Cox]
+
   *) Fix syntax error in httpd.h with strict compilers.  PR 38740.
      [Per Olausson <pao darkheim.freeserve.co.uk>]
 

Modified: httpd/httpd/branches/2.2.x/modules/mappers/mod_imagemap.c
URL: http://svn.apache.org/viewcvs/httpd/httpd/branches/2.2.x/modules/mappers/mod_imagemap.c?rev=356291&r1=356290&r2=356291&view=diff
==============================================================================
--- httpd/httpd/branches/2.2.x/modules/mappers/mod_imagemap.c (original)
+++ httpd/httpd/branches/2.2.x/modules/mappers/mod_imagemap.c Mon Dec 12 09:27:59 2005
@@ -342,7 +342,7 @@
     if (!strcasecmp(value, "referer")) {
         referer = apr_table_get(r->headers_in, "Referer");
         if (referer && *referer) {
-            return apr_pstrdup(r->pool, referer);
+            return apr_escape_html(r->pool, referer);
         }
         else {
             /* XXX:  This used to do *value = '\0'; ... which is totally bogus

Modified: httpd/httpd/branches/2.2.x/server/util.c
URL: http://svn.apache.org/viewcvs/httpd/httpd/branches/2.2.x/server/util.c?rev=356291&r1=356290&r2=356291&view=diff
==============================================================================
--- httpd/httpd/branches/2.2.x/server/util.c (original)
+++ httpd/httpd/branches/2.2.x/server/util.c Mon Dec 12 09:27:59 2005
@@ -1748,6 +1748,8 @@
             j += 3;
         else if (s[i] == '&')
             j += 4;
+        else if (s[i] == '"')
+            j += 5;
 
     if (j == 0)
         return apr_pstrmemdup(p, s, i);
@@ -1765,6 +1767,10 @@
         else if (s[i] == '&') {
             memcpy(&x[j], "&amp;", 5);
             j += 4;
+        }
+        else if (s[i] == '"') {
+            memcpy(&x[j], "&quot;", 6);
+            j += 5;
         }
         else
             x[j] = s[i];



Mime
View raw message