You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by mj...@apache.org on 2005/12/12 18:28:09 UTC
svn commit: r356291 - in /httpd/httpd/branches/2.2.x: CHANGES
modules/mappers/mod_imagemap.c server/util.c
Author: mjc
Date: Mon Dec 12 09:27:59 2005
New Revision: 356291
URL: http://svn.apache.org/viewcvs?rev=356291&view=rev
Log:
Fix moderate security issue CVE-2005-3352 mod_imap cross-site scripting flaw
Submitted by: Mark Cox <mjc apache.org>
Reviewed by: jorton, mjc, fielding
PR: 37874
Modified:
httpd/httpd/branches/2.2.x/CHANGES
httpd/httpd/branches/2.2.x/modules/mappers/mod_imagemap.c
httpd/httpd/branches/2.2.x/server/util.c
Modified: httpd/httpd/branches/2.2.x/CHANGES
URL: http://svn.apache.org/viewcvs/httpd/httpd/branches/2.2.x/CHANGES?rev=356291&r1=356290&r2=356291&view=diff
==============================================================================
--- httpd/httpd/branches/2.2.x/CHANGES [utf-8] (original)
+++ httpd/httpd/branches/2.2.x/CHANGES [utf-8] Mon Dec 12 09:27:59 2005
@@ -1,6 +1,12 @@
-*- coding: utf-8 -*-
Changes with Apache 2.2.1
+ *) SECURITY: CVE-2005-3352 (cve.mitre.org)
+ mod_imap: Escape untrusted referer header before outputting in HTML
+ to avoid potential cross-site scripting. Change also made to
+ ap_escape_html so we escape quotes. Reported by JPCERT.
+ [Mark Cox]
+
*) Fix syntax error in httpd.h with strict compilers. PR 38740.
[Per Olausson <pao darkheim.freeserve.co.uk>]
Modified: httpd/httpd/branches/2.2.x/modules/mappers/mod_imagemap.c
URL: http://svn.apache.org/viewcvs/httpd/httpd/branches/2.2.x/modules/mappers/mod_imagemap.c?rev=356291&r1=356290&r2=356291&view=diff
==============================================================================
--- httpd/httpd/branches/2.2.x/modules/mappers/mod_imagemap.c (original)
+++ httpd/httpd/branches/2.2.x/modules/mappers/mod_imagemap.c Mon Dec 12 09:27:59 2005
@@ -342,7 +342,7 @@
if (!strcasecmp(value, "referer")) {
referer = apr_table_get(r->headers_in, "Referer");
if (referer && *referer) {
- return apr_pstrdup(r->pool, referer);
+ return apr_escape_html(r->pool, referer);
}
else {
/* XXX: This used to do *value = '\0'; ... which is totally bogus
Modified: httpd/httpd/branches/2.2.x/server/util.c
URL: http://svn.apache.org/viewcvs/httpd/httpd/branches/2.2.x/server/util.c?rev=356291&r1=356290&r2=356291&view=diff
==============================================================================
--- httpd/httpd/branches/2.2.x/server/util.c (original)
+++ httpd/httpd/branches/2.2.x/server/util.c Mon Dec 12 09:27:59 2005
@@ -1748,6 +1748,8 @@
j += 3;
else if (s[i] == '&')
j += 4;
+ else if (s[i] == '"')
+ j += 5;
if (j == 0)
return apr_pstrmemdup(p, s, i);
@@ -1765,6 +1767,10 @@
else if (s[i] == '&') {
memcpy(&x[j], "&", 5);
j += 4;
+ }
+ else if (s[i] == '"') {
+ memcpy(&x[j], """, 6);
+ j += 5;
}
else
x[j] = s[i];