SECURITY: CVE-2005-3352 (cve.mitre.org)

     mod_imap: Escape untrusted referer header before outputting in HTML
     to avoid potential cross-site scripting.  Change also made to
     ap_escape_html so we escape quotes.  Reported by JPCERT.
     [Mark Cox]

Reported by:    simon

2 files changed, 36 insertions, 1 deletions

diff --git a/www/apache22/Makefile b/www/apache22/Makefile
index 4398b55a7048..22ffd4b2d2cd 100644
--- a/www/apache22/Makefile
+++ b/www/apache22/Makefile
@@ -9,7 +9,7 @@
 
 PORTNAME=	apache
 PORTVERSION=	2.2.0
-PORTREVISION=	2
+PORTREVISION=	3
 CATEGORIES=	www
 MASTER_SITES=	${MASTER_SITE_APACHE_HTTPD} \
 		${MASTER_SITE_LOCAL:S/%SUBDIR%/clement/}:powerlogo
diff --git a/www/apache22/files/patch-secfix-CAN-2005-3352 b/www/apache22/files/patch-secfix-CAN-2005-3352
new file mode 100644
index 000000000000..cc97428d6b80
--- /dev/null
+++ b/www/apache22/files/patch-secfix-CAN-2005-3352
@@ -0,0 +1,35 @@
+--- modules/mappers/mod_imagemap.c (original)
++++ modules/mappers/mod_imagemap.c Mon Dec 12 09:27:59 2005
+@@ -342,7 +342,7 @@
+     if (!strcasecmp(value, "referer")) {
+         referer = apr_table_get(r->headers_in, "Referer");
+         if (referer && *referer) {
+-            return apr_pstrdup(r->pool, referer);
++            return apr_escape_html(r->pool, referer);
+         }
+         else {
+             /* XXX:  This used to do *value = '\0'; ... which is totally bogus
+
+--- server/util.c (original)
++++ server/util.c Mon Dec 12 09:27:59 2005
+@@ -1748,6 +1748,8 @@
+             j += 3;
+         else if (s[i] == '&')
+             j += 4;
++        else if (s[i] == '"')
++            j += 5;
+ 
+     if (j == 0)
+         return apr_pstrmemdup(p, s, i);
+@@ -1765,6 +1767,10 @@
+         else if (s[i] == '&') {
+             memcpy(&x[j], "&", 5);
+             j += 4;
++        }
++        else if (s[i] == '"') {
++            memcpy(&x[j], """, 6);
++            j += 5;
+         }
+         else
+             x[j] = s[i];
+