Commit a37a43fc authored by Mark J. Cox's avatar Mark J. Cox
Browse files

Fix moderate security issue CVE-2005-3352 mod_imap cross-site scripting flaw 

Submitted by: Mark Cox <mjc apache.org>
Reviewed by: jorton, mjc, fielding
PR: 37874


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/1.3.x@356278 13f79535-47bb-0310-9956-ffa450edef68
parent 25df5513

src/CHANGES

+6 −0
Original line number Diff line number Diff line 
Changes with Apache 1.3.35



  *) SECURITY: CVE-2005-3352 (cve.mitre.org)

     mod_imap: Escape untrusted referer header before outputting in HTML

     to avoid potential cross-site scripting.  Change also made to

     ap_escape_html so we escape quotes.  Reported by JPCERT.

     [Mark Cox]



  *) mod_cgi: Remove block on OPTIONS method so that scripts can

     respond to OPTIONS directly rather than via server default.

     [Roy Fielding] PR 15242

src/main/util.c

+6 −0
Original line number Diff line number Diff line
@@ -1722,6 +1722,8 @@ API_EXPORT(char *) ap_escape_html(pool *p, const char *s) 
	    j += 3;

	else if (s[i] == '&')

	    j += 4;

	else if (s[i] == '"')

	    j += 5;



    if (j == 0)

	return ap_pstrndup(p, s, i);
@@ -1740,6 +1742,10 @@ API_EXPORT(char *) ap_escape_html(pool *p, const char *s) 
	    memcpy(&x[j], "&amp;", 5);

	    j += 4;

	}

	else if (s[i] == '"') {

	    memcpy(&x[j], "&quot;", 6);

	    j += 5;

	}

	else

	    x[j] = s[i];

src/modules/standard/mod_imap.c

+1 −1
Original line number Diff line number Diff line
@@ -328,7 +328,7 @@ static char *imap_url(request_rec *r, const char *base, const char *value) 
    if (!strcasecmp(value, "referer")) {

        referer = ap_table_get(r->headers_in, "Referer");

        if (referer && *referer) {

	    return ap_pstrdup(r->pool, referer);

	    return ap_escape_html(r->pool, referer);

        }

        else {

	    /* XXX:  This used to do *value = '\0'; ... which is totally bogus