From 73b86729a10be86be7001d0e1cfe777d3bb72cc2 Mon Sep 17 00:00:00 2001 From: clement Date: Mon, 12 Dec 2005 20:35:19 +0000 Subject: SECURITY: CVE-2005-3352 (cve.mitre.org) mod_imap: Escape untrusted referer header before outputting in HTML to avoid potential cross-site scripting. Change also made to ap_escape_html so we escape quotes. Reported by JPCERT. [Mark Cox] Reported by: simon --- www/apache20/Makefile | 2 +- www/apache20/files/patch-secfix-CAN-2005-3352 | 35 +++++++++++++++++++++++++++ 2 files changed, 36 insertions(+), 1 deletion(-) create mode 100644 www/apache20/files/patch-secfix-CAN-2005-3352 (limited to 'www/apache20') diff --git a/www/apache20/Makefile b/www/apache20/Makefile index b5dc19e2b83..5cd3bb12746 100644 --- a/www/apache20/Makefile +++ b/www/apache20/Makefile @@ -9,7 +9,7 @@ PORTNAME= apache PORTVERSION= 2.0.55 -PORTREVISION= 1 +PORTREVISION= 2 CATEGORIES= www MASTER_SITES= ${MASTER_SITE_APACHE_HTTPD} \ ${MASTER_SITE_LOCAL:S/$/:powerlogo/} diff --git a/www/apache20/files/patch-secfix-CAN-2005-3352 b/www/apache20/files/patch-secfix-CAN-2005-3352 new file mode 100644 index 00000000000..895e30345d6 --- /dev/null +++ b/www/apache20/files/patch-secfix-CAN-2005-3352 @@ -0,0 +1,35 @@ +--- modules/mappers/mod_imap.c (original) ++++ modules/mappers/mod_imap.c Mon Dec 12 08:41:53 2005 +@@ -342,7 +342,7 @@ + if (!strcasecmp(value, "referer")) { + referer = apr_table_get(r->headers_in, "Referer"); + if (referer && *referer) { +- return apr_pstrdup(r->pool, referer); ++ return ap_escape_html(r->pool, referer); + } + else { + /* XXX: This used to do *value = '\0'; ... which is totally bogus + +--- server/util.c (original) ++++ server/util.c Mon Dec 12 08:41:53 2005 +@@ -1762,6 +1762,8 @@ + j += 3; + else if (s[i] == '&') + j += 4; ++ else if (s[i] == '"') ++ j += 5; + + if (j == 0) + return apr_pstrmemdup(p, s, i); +@@ -1779,6 +1781,10 @@ + else if (s[i] == '&') { + memcpy(&x[j], "&", 5); + j += 4; ++ } ++ else if (s[i] == '"') { ++ memcpy(&x[j], """, 6); ++ j += 5; + } + else + x[j] = s[i]; + -- cgit