View | Details | Raw Unified | Return to bug 37874
Collapse All | Expand All

(-)src/modules/standard/mod_imap.c (-1 / +1 lines)
Lines 328-334 Link Here
328 
    if (!strcasecmp(value, "referer")) {
 328 
    if (!strcasecmp(value, "referer")) {
329 
        referer = ap_table_get(r->headers_in, "Referer");
 329 
        referer = ap_table_get(r->headers_in, "Referer");
330 
        if (referer && *referer) {
 330 
        if (referer && *referer) {
331 
	    return ap_pstrdup(r->pool, referer);
 331 
	    return ap_escape_html(r->pool, referer);
332 
        }
 332 
        }
333 
        else {
 333 
        else {
334 
	    /* XXX:  This used to do *value = '\0'; ... which is totally bogus
 334 
	    /* XXX:  This used to do *value = '\0'; ... which is totally bogus
(-)src/CHANGES (+6 lines)
Lines 1-5 Link Here
1 
Changes with Apache 1.3.35
 1 
Changes with Apache 1.3.35
2 

          2
          

        

            

              
              
              3
              
  *) SECURITY: CVE-2005-3352 (cve.mitre.org)

            

            

              4
              
     mod_imap: Escape untrusted referer header before outputting in HTML

            

            

              5
              
     to avoid potential cross-site scripting.  Change also made to

            

            

              6
              
     ap_escape_html so we escape quotes.  Reported by JPCERT.

            

            

              7
              
     [Mark Cox]

            

            

              8
              

            

        

          3
          
  *) mod_cgi: Remove block on OPTIONS method so that scripts can

          9
          
  *) mod_cgi: Remove block on OPTIONS method so that scripts can

        

        

          4
          
     respond to OPTIONS directly rather than via server default.

          10
          
     respond to OPTIONS directly rather than via server default.

        

        

          5
          
     [Roy Fielding] PR 15242

          11
          
     [Roy Fielding] PR 15242

        



(-)src/main/util.c
      (+6 lines)




  

    
      
            Lines 1722-1727
          
      
      
        Link Here
      
    
  

        

          1722
          
	    j += 3;

          1722
          
	    j += 3;

        

        

          1723
          
	else if (s[i] == '&')

          1723
          
	else if (s[i] == '&')

        

        

          1724
          
	    j += 4;

          1724
          
	    j += 4;

        

            

              
              
              1725
              
	else if (s[i] == '"')

            

            

              1726
              
	    j += 5;

            

        

          1725
          

          1727
          

        

        

          1726
          
    if (j == 0)

          1728
          
    if (j == 0)

        

        

          1727
          
	return ap_pstrndup(p, s, i);

          1729
          
	return ap_pstrndup(p, s, i);

        

  

    
      
            Lines 1740-1745
          
      
      
        Link Here
      
    
  

        

          1740
          
	    memcpy(&x[j], "&", 5);

          1742
          
	    memcpy(&x[j], "&", 5);

        

        

          1741
          
	    j += 4;

          1743
          
	    j += 4;

        

        

          1742
          
	}

          1744
          
	}

        

            

              
              
              1745
              
	else if (s[i] == '"') {

            

            

              1746
              
	    memcpy(&x[j], """, 6);

            

            

              1747
              
	    j += 5;

            

            

              1748
              
	}

            

        

          1743
          
	else

          1749
          
	else

        

        

          1744
          
	    x[j] = s[i];

          1750
          
	    x[j] = s[i];

        

        

          1745
          

          1751
          

        






  

  Return to bug 37874