sync/ports
1
0
Fork 0
mirror of https://git.freebsd.org/ports.git synced 2025-07-18 09:49:18 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions

SECURITY: CVE-2005-3352 (cve.mitre.org)

Browse source 
mod_imap: Escape untrusted referer header before outputting in HTML
   to avoid potential cross-site scripting.  Change also made to
   ap_escape_html so we escape quotes.  Reported by JPCERT.
   [Mark Cox]

Reported by:	simon
This commit is contained in:
Clement Laforet 2005-12-12 20:31:53 +00:00
parent d2053e182e
commit f22b2cf232
Notes: svn2git 2021-03-31 03:12:20 +00:00 
svn path=/head/; revision=151041
4 changed files with 72 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
www/apache13-modperl/Makefile
View file

@ -7,6 +7,7 @@
PORTNAME= apache+mod_perl PORTNAME= apache+mod_perl
PORTVERSION= ${VERSION_APACHE} PORTVERSION= ${VERSION_APACHE}
PORTREVISION= 1
CATEGORIES= www perl5 CATEGORIES= www perl5
MASTER_SITES= ${MASTER_SITE_APACHE_HTTPD:S/$/:apache/} \ MASTER_SITES= ${MASTER_SITE_APACHE_HTTPD:S/$/:apache/} \
${MASTER_SITE_PERL_CPAN:S/$/Apache\/:modperl/} ${MASTER_SITE_PERL_CPAN:S/$/Apache\/:modperl/}

35
www/apache13-modperl/files/patch-secfix-CAN-2005-3352 Normal file
View file

@ -0,0 +1,35 @@
--- src/main/util.c (original)
+++ src/main/util.c Mon Dec 12 08:36:54 2005
@@ -1722,6 +1722,8 @@
j += 3;
else if (s[i] == '&')
j += 4;
+ else if (s[i] == '"')
+ j += 5;
if (j == 0)
return ap_pstrndup(p, s, i);
@@ -1739,6 +1741,10 @@
else if (s[i] == '&') {
memcpy(&x[j], "&", 5);
j += 4;
+ }
+ else if (s[i] == '"') {
+ memcpy(&x[j], """, 6);
+ j += 5;
}
else
x[j] = s[i];
--- src/modules/standard/mod_imap.c (original)
+++ src/modules/standard/mod_imap.c Mon Dec 12 08:36:54 2005
@@ -328,7 +328,7 @@
if (!strcasecmp(value, "referer")) {
referer = ap_table_get(r->headers_in, "Referer");
if (referer && *referer) {
- return ap_pstrdup(r->pool, referer);
+ return ap_escape_html(r->pool, referer);
}
else {
/* XXX: This used to do *value = '\0'; ... which is totally bogus

2
www/apache13-ssl/Makefile
View file

@ -9,7 +9,7 @@
PORTNAME= apache+ssl PORTNAME= apache+ssl
PORTVERSION= ${APACHE_VERSION}.${APACHE_SSL_VERSION} PORTVERSION= ${APACHE_VERSION}.${APACHE_SSL_VERSION}
PORTREVISION= 1 PORTREVISION= 2
CATEGORIES= www security CATEGORIES= www security
MASTER_SITES= ${MASTER_SITE_APACHE_HTTPD} \ MASTER_SITES= ${MASTER_SITE_APACHE_HTTPD} \
${MASTER_SITES_APACHE_SSL:S/$/:ssl/} ${MASTER_SITES_APACHE_SSL:S/$/:ssl/}

35
www/apache13-ssl/files/patch-secfix-CAN-2005-3352 Normal file
View file

@ -0,0 +1,35 @@
--- src/main/util.c (original)
+++ src/main/util.c Mon Dec 12 08:36:54 2005
@@ -1722,6 +1722,8 @@
j += 3;
else if (s[i] == '&')
j += 4;
+ else if (s[i] == '"')
+ j += 5;
if (j == 0)
return ap_pstrndup(p, s, i);
@@ -1739,6 +1741,10 @@
else if (s[i] == '&') {
memcpy(&x[j], "&", 5);
j += 4;
+ }
+ else if (s[i] == '"') {
+ memcpy(&x[j], """, 6);
+ j += 5;
}
else
x[j] = s[i];
--- src/modules/standard/mod_imap.c (original)
+++ src/modules/standard/mod_imap.c Mon Dec 12 08:36:54 2005
@@ -328,7 +328,7 @@
if (!strcasecmp(value, "referer")) {
referer = ap_table_get(r->headers_in, "Referer");
if (referer && *referer) {
- return ap_pstrdup(r->pool, referer);
+ return ap_escape_html(r->pool, referer);
}
else {
/* XXX: This used to do *value = '\0'; ... which is totally bogus