SECURITY: CVE-2005-3352 (cve.mitre.org)

mod_imap: Escape untrusted referer header before outputting in HTML to avoid potential cross-site scripting. Change also made to ap_escape_html so we escape quotes. Reported by JPCERT. [Mark Cox] Reported by: simon
svn path=/head/; revision=151041
2005-12-12 20:31:53 +00:00 · 2005-12-12 20:31:53 +00:00 · f22b2cf232 · 2021-03-31 03:12:20 +00:00
commit f22b2cf232
parent d2053e182e
4 changed files with 72 additions and 1 deletions
--- a/www/apache13-modperl/Makefile
+++ b/www/apache13-modperl/Makefile
@ -7,6 +7,7 @@

 PORTNAME=	apache+mod_perl
 PORTVERSION=	${VERSION_APACHE}
+PORTREVISION=	1
 CATEGORIES=	www perl5
 MASTER_SITES=	${MASTER_SITE_APACHE_HTTPD:S/$/:apache/} \
 		${MASTER_SITE_PERL_CPAN:S/$/Apache\/:modperl/}
--- a/www/apache13-modperl/files/patch-secfix-CAN-2005-3352
+++ b/www/apache13-modperl/files/patch-secfix-CAN-2005-3352
@ -0,0 +1,35 @@
+--- src/main/util.c (original)
+++ src/main/util.c Mon Dec 12 08:36:54 2005
+@@ -1722,6 +1722,8 @@
+ 	    j += 3;
+ 	else if (s[i] == '&')
+ 	    j += 4;
+	else if (s[i] == '"')
+	    j += 5;
+ 
+     if (j == 0)
+ 	return ap_pstrndup(p, s, i);
+@@ -1739,6 +1741,10 @@
+ 	else if (s[i] == '&') {
+ 	    memcpy(&x[j], "&amp;", 5);
+ 	    j += 4;
+	}
+	else if (s[i] == '"') {
+	    memcpy(&x[j], "&quot;", 6);
+	    j += 5;
+ 	}
+ 	else
+ 	    x[j] = s[i];
+
+--- src/modules/standard/mod_imap.c (original)
+++ src/modules/standard/mod_imap.c Mon Dec 12 08:36:54 2005
+@@ -328,7 +328,7 @@
+     if (!strcasecmp(value, "referer")) {
+         referer = ap_table_get(r->headers_in, "Referer");
+         if (referer && *referer) {
+-	    return ap_pstrdup(r->pool, referer);
+	    return ap_escape_html(r->pool, referer);
+         }
+         else {
+ 	    /* XXX:  This used to do *value = '\0'; ... which is totally bogus
+
--- a/www/apache13-ssl/Makefile
+++ b/www/apache13-ssl/Makefile
@ -9,7 +9,7 @@

 PORTNAME=	apache+ssl
 PORTVERSION=	${APACHE_VERSION}.${APACHE_SSL_VERSION}
-PORTREVISION=	1
+PORTREVISION=	2
 CATEGORIES=	www security
 MASTER_SITES=	${MASTER_SITE_APACHE_HTTPD} \
 		${MASTER_SITES_APACHE_SSL:S/$/:ssl/}
--- a/www/apache13-ssl/files/patch-secfix-CAN-2005-3352
+++ b/www/apache13-ssl/files/patch-secfix-CAN-2005-3352
@ -0,0 +1,35 @@
+--- src/main/util.c (original)
+++ src/main/util.c Mon Dec 12 08:36:54 2005
+@@ -1722,6 +1722,8 @@
+ 	    j += 3;
+ 	else if (s[i] == '&')
+ 	    j += 4;
+	else if (s[i] == '"')
+	    j += 5;
+ 
+     if (j == 0)
+ 	return ap_pstrndup(p, s, i);
+@@ -1739,6 +1741,10 @@
+ 	else if (s[i] == '&') {
+ 	    memcpy(&x[j], "&amp;", 5);
+ 	    j += 4;
+	}
+	else if (s[i] == '"') {
+	    memcpy(&x[j], "&quot;", 6);
+	    j += 5;
+ 	}
+ 	else
+ 	    x[j] = s[i];
+
+--- src/modules/standard/mod_imap.c (original)
+++ src/modules/standard/mod_imap.c Mon Dec 12 08:36:54 2005
+@@ -328,7 +328,7 @@
+     if (!strcasecmp(value, "referer")) {
+         referer = ap_table_get(r->headers_in, "Referer");
+         if (referer && *referer) {
+-	    return ap_pstrdup(r->pool, referer);
+	    return ap_escape_html(r->pool, referer);
+         }
+         else {
+ 	    /* XXX:  This used to do *value = '\0'; ... which is totally bogus
+