Bring forward the fix for CVE-2005-3352 already on the branches:

* modules/mappers/mod_imagemap.c (imap_url): Escape the referer.

* server/util.c (ap_escape_html): Escape the " character.

Submitted by: mjc
Reviewed by: fielding, jorton


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@357161 13f79535-47bb-0310-9956-ffa450edef68

2 files changed, 7 insertions, 1 deletions

diff --git a/modules/mappers/mod_imagemap.c b/modules/mappers/mod_imagemap.c
index 2bbdef54cc..9bf8c1659f 100644
--- a/modules/mappers/mod_imagemap.c
+++ b/modules/mappers/mod_imagemap.c
@@ -342,7 +342,7 @@ static char *imap_url(request_rec *r, const char *base, const char *value)
     if (!strcasecmp(value, "referer")) {
         referer = apr_table_get(r->headers_in, "Referer");
         if (referer && *referer) {
-            return apr_pstrdup(r->pool, referer);
+            return ap_escape_html(r->pool, referer);
         }
         else {
             /* XXX:  This used to do *value = '\0'; ... which is totally bogus
diff --git a/server/util.c b/server/util.c
index 0d9acf948e..36dfc0f3cd 100644
--- a/server/util.c
+++ b/server/util.c
@@ -1748,6 +1748,8 @@ AP_DECLARE(char *) ap_escape_html(apr_pool_t *p, const char *s)
             j += 3;
         else if (s[i] == '&')
             j += 4;
+        else if (s[i] == '"')
+            j += 5;
 
     if (j == 0)
         return apr_pstrmemdup(p, s, i);
@@ -1766,6 +1768,10 @@ AP_DECLARE(char *) ap_escape_html(apr_pool_t *p, const char *s)
             memcpy(&x[j], "&", 5);
             j += 4;
         }
+        else if (s[i] == '"') {
+            memcpy(&x[j], """, 6);
+            j += 5;
+        }
         else
             x[j] = s[i];