You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by jo...@apache.org on 2005/12/16 15:27:53 UTC
svn commit: r357161 - in /httpd/httpd/trunk: modules/mappers/mod_imagemap.c
server/util.c
Author: jorton
Date: Fri Dec 16 06:27:47 2005
New Revision: 357161
URL: http://svn.apache.org/viewcvs?rev=357161&view=rev
Log:
Bring forward the fix for CVE-2005-3352 already on the branches:
* modules/mappers/mod_imagemap.c (imap_url): Escape the referer.
* server/util.c (ap_escape_html): Escape the " character.
Submitted by: mjc
Reviewed by: fielding, jorton
Modified:
httpd/httpd/trunk/modules/mappers/mod_imagemap.c
httpd/httpd/trunk/server/util.c
Modified: httpd/httpd/trunk/modules/mappers/mod_imagemap.c
URL: http://svn.apache.org/viewcvs/httpd/httpd/trunk/modules/mappers/mod_imagemap.c?rev=357161&r1=357160&r2=357161&view=diff
==============================================================================
--- httpd/httpd/trunk/modules/mappers/mod_imagemap.c (original)
+++ httpd/httpd/trunk/modules/mappers/mod_imagemap.c Fri Dec 16 06:27:47 2005
@@ -342,7 +342,7 @@
if (!strcasecmp(value, "referer")) {
referer = apr_table_get(r->headers_in, "Referer");
if (referer && *referer) {
- return apr_pstrdup(r->pool, referer);
+ return ap_escape_html(r->pool, referer);
}
else {
/* XXX: This used to do *value = '\0'; ... which is totally bogus
Modified: httpd/httpd/trunk/server/util.c
URL: http://svn.apache.org/viewcvs/httpd/httpd/trunk/server/util.c?rev=357161&r1=357160&r2=357161&view=diff
==============================================================================
--- httpd/httpd/trunk/server/util.c (original)
+++ httpd/httpd/trunk/server/util.c Fri Dec 16 06:27:47 2005
@@ -1748,6 +1748,8 @@
j += 3;
else if (s[i] == '&')
j += 4;
+ else if (s[i] == '"')
+ j += 5;
if (j == 0)
return apr_pstrmemdup(p, s, i);
@@ -1765,6 +1767,10 @@
else if (s[i] == '&') {
memcpy(&x[j], "&", 5);
j += 4;
+ }
+ else if (s[i] == '"') {
+ memcpy(&x[j], """, 6);
+ j += 5;
}
else
x[j] = s[i];