diff options
author | clement <clement@FreeBSD.org> | 2005-12-12 20:55:14 +0000 |
---|---|---|
committer | clement <clement@FreeBSD.org> | 2005-12-12 20:55:14 +0000 |
commit | 47f4669c1139f579bdb9d2660eb394ac133ba393 (patch) | |
tree | 7a929cc0886cd44b5b75afa371ece649e6dd71ab /www/apache22 | |
parent | 7355e91db607ce2e98c91ae029e29a718f5769af (diff) | |
download | FreeBSD-ports-47f4669c1139f579bdb9d2660eb394ac133ba393.zip FreeBSD-ports-47f4669c1139f579bdb9d2660eb394ac133ba393.tar.gz |
SECURITY: CVE-2005-3352 (cve.mitre.org)
mod_imap: Escape untrusted referer header before outputting in HTML
to avoid potential cross-site scripting. Change also made to
ap_escape_html so we escape quotes. Reported by JPCERT.
[Mark Cox]
Reported by: simon
Diffstat (limited to 'www/apache22')
-rw-r--r-- | www/apache22/Makefile | 2 | ||||
-rw-r--r-- | www/apache22/files/patch-secfix-CAN-2005-3352 | 35 |
2 files changed, 36 insertions, 1 deletions
diff --git a/www/apache22/Makefile b/www/apache22/Makefile index 4398b55..22ffd4b 100644 --- a/www/apache22/Makefile +++ b/www/apache22/Makefile @@ -9,7 +9,7 @@ PORTNAME= apache PORTVERSION= 2.2.0 -PORTREVISION= 2 +PORTREVISION= 3 CATEGORIES= www MASTER_SITES= ${MASTER_SITE_APACHE_HTTPD} \ ${MASTER_SITE_LOCAL:S/%SUBDIR%/clement/}:powerlogo diff --git a/www/apache22/files/patch-secfix-CAN-2005-3352 b/www/apache22/files/patch-secfix-CAN-2005-3352 new file mode 100644 index 0000000..cc97428 --- /dev/null +++ b/www/apache22/files/patch-secfix-CAN-2005-3352 @@ -0,0 +1,35 @@ +--- modules/mappers/mod_imagemap.c (original) ++++ modules/mappers/mod_imagemap.c Mon Dec 12 09:27:59 2005 +@@ -342,7 +342,7 @@ + if (!strcasecmp(value, "referer")) { + referer = apr_table_get(r->headers_in, "Referer"); + if (referer && *referer) { +- return apr_pstrdup(r->pool, referer); ++ return apr_escape_html(r->pool, referer); + } + else { + /* XXX: This used to do *value = '\0'; ... which is totally bogus + +--- server/util.c (original) ++++ server/util.c Mon Dec 12 09:27:59 2005 +@@ -1748,6 +1748,8 @@ + j += 3; + else if (s[i] == '&') + j += 4; ++ else if (s[i] == '"') ++ j += 5; + + if (j == 0) + return apr_pstrmemdup(p, s, i); +@@ -1765,6 +1767,10 @@ + else if (s[i] == '&') { + memcpy(&x[j], "&", 5); + j += 4; ++ } ++ else if (s[i] == '"') { ++ memcpy(&x[j], """, 6); ++ j += 5; + } + else + x[j] = s[i]; + |