SECURITY: CVE-2005-3352 (cve.mitre.org)

     mod_imap: Escape untrusted referer header before outputting in HTML
     to avoid potential cross-site scripting.  Change also made to
     ap_escape_html so we escape quotes.  Reported by JPCERT.
     [Mark Cox]

Reported by:    simon

1 files changed, 35 insertions, 0 deletions

diff --git a/www/apache20/files/patch-secfix-CAN-2005-3352 b/www/apache20/files/patch-secfix-CAN-2005-3352
new file mode 100644
index 000000000000..895e30345d6b
--- /dev/null
+++ b/www/apache20/files/patch-secfix-CAN-2005-3352
@@ -0,0 +1,35 @@
+--- modules/mappers/mod_imap.c (original)
++++ modules/mappers/mod_imap.c Mon Dec 12 08:41:53 2005
+@@ -342,7 +342,7 @@
+     if (!strcasecmp(value, "referer")) {
+         referer = apr_table_get(r->headers_in, "Referer");
+         if (referer && *referer) {
+-	    return apr_pstrdup(r->pool, referer);
++	    return ap_escape_html(r->pool, referer);
+         }
+         else {
+ 	    /* XXX:  This used to do *value = '\0'; ... which is totally bogus
+
+--- server/util.c (original)
++++ server/util.c Mon Dec 12 08:41:53 2005
+@@ -1762,6 +1762,8 @@
+             j += 3;
+         else if (s[i] == '&')
+             j += 4;
++        else if (s[i] == '"')
++            j += 5;
+ 
+     if (j == 0)
+         return apr_pstrmemdup(p, s, i);
+@@ -1779,6 +1781,10 @@
+         else if (s[i] == '&') {
+             memcpy(&x[j], "&", 5);
+             j += 4;
++        }
++        else if (s[i] == '"') {
++            memcpy(&x[j], """, 6);
++            j += 5;
+         }
+         else
+             x[j] = s[i];
+