fix a cross-site scripting vulnerability in mod_imap;

CVE-2005-3352

ok niallo@; henning@ no objections

2 files changed, 7 insertions, 1 deletions

diff --git a/usr.sbin/httpd/src/main/util.c b/usr.sbin/httpd/src/main/util.c
index c9fd0f9f4c3..94a2c8c4a7c 100644
--- a/usr.sbin/httpd/src/main/util.c
+++ b/usr.sbin/httpd/src/main/util.c
@@ -1692,6 +1692,8 @@ API_EXPORT(char *) ap_escape_html(pool *p, const char *s)
 	    j += 3;
 	else if (s[i] == '&')
 	    j += 4;
+	else if (s[i] == '"')
+	    j += 5; 
 
     if (j == 0)
 	return ap_pstrndup(p, s, i);
@@ -1710,6 +1712,10 @@ API_EXPORT(char *) ap_escape_html(pool *p, const char *s)
 	    memcpy(&x[j], "&", 5);
 	    j += 4;
 	}
+	else if (s[i] == '"') {
+	    memcpy(&x[j], """, 6);
+	    j += 5;
+	}
 	else
 	    x[j] = s[i];
 
diff --git a/usr.sbin/httpd/src/modules/standard/mod_imap.c b/usr.sbin/httpd/src/modules/standard/mod_imap.c
index cbc4d8b73c0..145deeaea70 100644
--- a/usr.sbin/httpd/src/modules/standard/mod_imap.c
+++ b/usr.sbin/httpd/src/modules/standard/mod_imap.c
@@ -367,7 +367,7 @@ static char *imap_url(request_rec *r, const char *base, const char *value)
     if (!strcasecmp(value, "referer")) {
         referer = ap_table_get(r->headers_in, "Referer");
         if (referer && *referer) {
-	    return ap_pstrdup(r->pool, referer);
+	    return ap_escape_html(r->pool, referer);
         }
         else {
 	    /* XXX:  This used to do *value = '\0'; ... which is totally bogus