[packages/apache.git] / apache-CVE-2005-3352.patch

Index: src/modules/standard/mod_imap.c
===================================================================
--- src/modules/standard/mod_imap.c	(revision 330526)
+++ src/modules/standard/mod_imap.c	(working copy)
@@ -328,7 +328,7 @@
     if (!strcasecmp(value, "referer")) {
         referer = ap_table_get(r->headers_in, "Referer");
         if (referer && *referer) {
-	    return ap_pstrdup(r->pool, referer);
+	    return ap_escape_html(r->pool, referer);
         }
         else {
 	    /* XXX:  This used to do *value = '\0'; ... which is totally bogus
Index: src/main/util.c
===================================================================
--- src/main/util.c	(revision 330526)
+++ src/main/util.c	(working copy)
@@ -1722,6 +1722,8 @@
 	    j += 3;
 	else if (s[i] == '&')
 	    j += 4;
+	else if (s[i] == '"')
+	    j += 5;
 
     if (j == 0)
 	return ap_pstrndup(p, s, i);
@@ -1740,6 +1742,10 @@
 	    memcpy(&x[j], "&amp;", 5);
 	    j += 4;
 	}
+	else if (s[i] == '"') {
+	    memcpy(&x[j], "&quot;", 6);
+	    j += 5;
+	}
 	else
 	    x[j] = s[i];
Commit	Line	Data
de0fe364	1	Index: src/modules/standard/mod_imap.c
	2	===================================================================
	3	--- src/modules/standard/mod_imap.c (revision 330526)
	4	+++ src/modules/standard/mod_imap.c (working copy)
	5	@@ -328,7 +328,7 @@
255cef4a	6	if (!strcasecmp(value, "referer")) {
de0fe364	7	referer = ap_table_get(r->headers_in, "Referer");
255cef4a	8	if (referer && *referer) {
de0fe364	9	- return ap_pstrdup(r->pool, referer);
255cef4a	10	+ return ap_escape_html(r->pool, referer);
	11	}
	12	else {
	13	/* XXX: This used to do *value = '\0'; ... which is totally bogus
de0fe364	14	Index: src/main/util.c
	15	===================================================================
	16	--- src/main/util.c (revision 330526)
	17	+++ src/main/util.c (working copy)
	18	@@ -1722,6 +1722,8 @@
	19	j += 3;
	20	else if (s[i] == '&')
	21	j += 4;
	22	+ else if (s[i] == '"')
	23	+ j += 5;
	24
	25	if (j == 0)
	26	return ap_pstrndup(p, s, i);
	27	@@ -1740,6 +1742,10 @@
	28	memcpy(&x[j], "&", 5);
	29	j += 4;
	30	}
	31	+ else if (s[i] == '"') {
	32	+ memcpy(&x[j], """, 6);
	33	+ j += 5;
	34	+ }
	35	else
	36	x[j] = s[i];
	37