head	1.3;
access;
symbols
	RELEASE_7_0_0:1.2
	RELEASE_6_3_0:1.2
	PRE_XORG_7:1.2
	RELEASE_4_EOL:1.2
	RELEASE_6_2_0:1.2
	RELEASE_6_1_0:1.2
	RELEASE_5_5_0:1.2;
locks; strict;
comment	@# @;


1.3
date	2007.12.11.21.03.06;	author clement;	state dead;
branches;
next	1.2;

1.2
date	2005.12.13.10.51.41;	author clement;	state Exp;
branches;
next	1.1;

1.1
date	2005.12.12.20.55.14;	author clement;	state Exp;
branches;
next	;


desc
@@


1.3
log
@- As scheduled, retire apache 2.1.x
  Its support in bsd.apache.mk will be kept few monthes more
@
text
@--- server/util.c (original)
+++ server/util.c Mon Dec 12 09:27:59 2005
@@@@ -1748,6 +1748,8 @@@@
             j += 3;
         else if (s[i] == '&')
             j += 4;
+        else if (s[i] == '"')
+            j += 5;
 
     if (j == 0)
         return apr_pstrmemdup(p, s, i);
@@@@ -1765,6 +1767,10 @@@@
         else if (s[i] == '&') {
             memcpy(&x[j], "&amp;", 5);
             j += 4;
+        }
+        else if (s[i] == '"') {
+            memcpy(&x[j], "&quot;", 6);
+            j += 5;
         }
         else
             x[j] = s[i];

--- modules/mappers/mod_imagemap.c.orig	Thu Apr  7 04:04:03 2005
+++ modules/mappers/mod_imagemap.c	Mon Dec 12 21:51:15 2005
@@@@ -342,7 +342,7 @@@@
     if (!strcasecmp(value, "referer")) {
         referer = apr_table_get(r->headers_in, "Referer");
         if (referer && *referer) {
-	    return apr_pstrdup(r->pool, referer);
+		return ap_escape_html(r->pool, referer);
         }
         else {
 	    /* XXX:  This used to do *value = '\0'; ... which is totally bogus
@


1.2
log
@- Fix typo (it's actually in apache SVN repo)

Reported by:	 Matt Smith <matt@@xtaz.co.uk>
@
text
@@


1.1
log
@SECURITY: CVE-2005-3352 (cve.mitre.org)
     mod_imap: Escape untrusted referer header before outputting in HTML
     to avoid potential cross-site scripting.  Change also made to
     ap_escape_html so we escape quotes.  Reported by JPCERT.
     [Mark Cox]

Reported by:    simon
@
text
@d31 1
a31 1
+		return apr_escape_html(r->pool, referer);
@

