diff options
| author | clement <clement@FreeBSD.org> | 2005-12-13 04:31:53 +0800 |
|---|---|---|
| committer | clement <clement@FreeBSD.org> | 2005-12-13 04:31:53 +0800 |
| commit | d73dde31fa2cdb62e87f6e83ca92d1de98a1cf5d (patch) | |
| tree | b80e897502da5551ac2fabbc7ba06834e1a650b5 /www | |
| parent | 1249d6538d33f3c4e7ffad5ca6c7ec9b2dd98c06 (diff) | |
| download | freebsd-ports-gnome-d73dde31fa2cdb62e87f6e83ca92d1de98a1cf5d.tar.gz freebsd-ports-gnome-d73dde31fa2cdb62e87f6e83ca92d1de98a1cf5d.tar.zst freebsd-ports-gnome-d73dde31fa2cdb62e87f6e83ca92d1de98a1cf5d.zip | |
SECURITY: CVE-2005-3352 (cve.mitre.org)
mod_imap: Escape untrusted referer header before outputting in HTML
to avoid potential cross-site scripting. Change also made to
ap_escape_html so we escape quotes. Reported by JPCERT.
[Mark Cox]
Reported by: simon
Diffstat (limited to 'www')
| -rw-r--r-- | www/apache13-modperl/Makefile | 1 | ||||
| -rw-r--r-- | www/apache13-modperl/files/patch-secfix-CAN-2005-3352 | 35 | ||||
| -rw-r--r-- | www/apache13-ssl/Makefile | 2 | ||||
| -rw-r--r-- | www/apache13-ssl/files/patch-secfix-CAN-2005-3352 | 35 |
4 files changed, 72 insertions, 1 deletions
diff --git a/www/apache13-modperl/Makefile b/www/apache13-modperl/Makefile index e929f7cdea48..ff6441de2db5 100644 --- a/www/apache13-modperl/Makefile +++ b/www/apache13-modperl/Makefile @@ -7,6 +7,7 @@ PORTNAME= apache+mod_perl PORTVERSION= ${VERSION_APACHE} +PORTREVISION= 1 CATEGORIES= www perl5 MASTER_SITES= ${MASTER_SITE_APACHE_HTTPD:S/$/:apache/} \ ${MASTER_SITE_PERL_CPAN:S/$/Apache\/:modperl/} diff --git a/www/apache13-modperl/files/patch-secfix-CAN-2005-3352 b/www/apache13-modperl/files/patch-secfix-CAN-2005-3352 new file mode 100644 index 000000000000..8febc0e58935 --- /dev/null +++ b/www/apache13-modperl/files/patch-secfix-CAN-2005-3352 @@ -0,0 +1,35 @@ +--- src/main/util.c (original) ++++ src/main/util.c Mon Dec 12 08:36:54 2005 +@@ -1722,6 +1722,8 @@ + j += 3; + else if (s[i] == '&') + j += 4; ++ else if (s[i] == '"') ++ j += 5; + + if (j == 0) + return ap_pstrndup(p, s, i); +@@ -1739,6 +1741,10 @@ + else if (s[i] == '&') { + memcpy(&x[j], "&", 5); + j += 4; ++ } ++ else if (s[i] == '"') { ++ memcpy(&x[j], """, 6); ++ j += 5; + } + else + x[j] = s[i]; + +--- src/modules/standard/mod_imap.c (original) ++++ src/modules/standard/mod_imap.c Mon Dec 12 08:36:54 2005 +@@ -328,7 +328,7 @@ + if (!strcasecmp(value, "referer")) { + referer = ap_table_get(r->headers_in, "Referer"); + if (referer && *referer) { +- return ap_pstrdup(r->pool, referer); ++ return ap_escape_html(r->pool, referer); + } + else { + /* XXX: This used to do *value = '\0'; ... which is totally bogus + diff --git a/www/apache13-ssl/Makefile b/www/apache13-ssl/Makefile index fdadde323da2..a8a03f04545c 100644 --- a/www/apache13-ssl/Makefile +++ b/www/apache13-ssl/Makefile @@ -9,7 +9,7 @@ PORTNAME= apache+ssl PORTVERSION= ${APACHE_VERSION}.${APACHE_SSL_VERSION} -PORTREVISION= 1 +PORTREVISION= 2 CATEGORIES= www security MASTER_SITES= ${MASTER_SITE_APACHE_HTTPD} \ ${MASTER_SITES_APACHE_SSL:S/$/:ssl/} diff --git a/www/apache13-ssl/files/patch-secfix-CAN-2005-3352 b/www/apache13-ssl/files/patch-secfix-CAN-2005-3352 new file mode 100644 index 000000000000..8febc0e58935 --- /dev/null +++ b/www/apache13-ssl/files/patch-secfix-CAN-2005-3352 @@ -0,0 +1,35 @@ +--- src/main/util.c (original) ++++ src/main/util.c Mon Dec 12 08:36:54 2005 +@@ -1722,6 +1722,8 @@ + j += 3; + else if (s[i] == '&') + j += 4; ++ else if (s[i] == '"') ++ j += 5; + + if (j == 0) + return ap_pstrndup(p, s, i); +@@ -1739,6 +1741,10 @@ + else if (s[i] == '&') { + memcpy(&x[j], "&", 5); + j += 4; ++ } ++ else if (s[i] == '"') { ++ memcpy(&x[j], """, 6); ++ j += 5; + } + else + x[j] = s[i]; + +--- src/modules/standard/mod_imap.c (original) ++++ src/modules/standard/mod_imap.c Mon Dec 12 08:36:54 2005 +@@ -328,7 +328,7 @@ + if (!strcasecmp(value, "referer")) { + referer = ap_table_get(r->headers_in, "Referer"); + if (referer && *referer) { +- return ap_pstrdup(r->pool, referer); ++ return ap_escape_html(r->pool, referer); + } + else { + /* XXX: This used to do *value = '\0'; ... which is totally bogus + |