ASF Bugzilla – Attachment 17200 Details for
Bug 37874
CVE-2005-3352 mod_imap cross-site scripting flaw
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Help
|
New Account
|
Log In
Remember
[x]
|
Forgot Password
Login:
[x]
[patch]
Patch for apache-2.0 tree (ack fielding, jorton)
CVE-2005-3352-2.0.patch (text/plain), 1.81 KB, created by
Mark Cox
on 2005-12-12 17:25:14 UTC
(
hide
)
Description:
Patch for apache-2.0 tree (ack fielding, jorton)
Filename:
MIME Type:
Creator:
Mark Cox
Created:
2005-12-12 17:25:14 UTC
Size:
1.81 KB
patch
obsolete
>Index: server/util.c >=================================================================== >--- server/util.c (revision 330526) >+++ server/util.c (working copy) >@@ -1762,6 +1762,8 @@ > j += 3; > else if (s[i] == '&') > j += 4; >+ else if (s[i] == '"') >+ j += 5; > > if (j == 0) > return apr_pstrmemdup(p, s, i); >@@ -1780,6 +1782,10 @@ > memcpy(&x[j], "&", 5); > j += 4; > } >+ else if (s[i] == '"') { >+ memcpy(&x[j], """, 6); >+ j += 5; >+ } > else > x[j] = s[i]; > >Index: CHANGES >=================================================================== >--- CHANGES (revision 330526) >+++ CHANGES (working copy) >@@ -1,6 +1,12 @@ > -*- coding: utf-8 -*- > Changes with Apache 2.0.56 > >+ *) SECURITY: CVE-2005-3352 (cve.mitre.org) >+ mod_imap: Escape untrusted referer header before outputting in HTML >+ to avoid potential cross-site scripting. Change also made to >+ ap_escape_html so we escape quotes. Reported by JPCERT. >+ [Mark Cox] >+ > *) mod_cgi(d): Remove block on OPTIONS method so that scripts can > respond to OPTIONS directly rather than via server default. > [Roy Fielding] PR 15242 >Index: modules/mappers/mod_imap.c >=================================================================== >--- modules/mappers/mod_imap.c (revision 330526) >+++ modules/mappers/mod_imap.c (working copy) >@@ -342,7 +342,7 @@ > if (!strcasecmp(value, "referer")) { > referer = apr_table_get(r->headers_in, "Referer"); > if (referer && *referer) { >- return apr_pstrdup(r->pool, referer); >+ return ap_escape_html(r->pool, referer); > } > else { > /* XXX: This used to do *value = '\0'; ... which is totally bogus
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 37874
:
17199
| 17200