[packages/apache.git] / apache-CVE-2005-3352.patch

http://bugs.gentoo.org/show_bug.cgi?id=118875

--- server/util.c	(revision 330526)
+++ server/util.c	(working copy)
@@ -1762,6 +1762,8 @@
             j += 3;
         else if (s[i] == '&')
             j += 4;
+        else if (s[i] == '"')
+            j += 5;
 
     if (j == 0)
         return apr_pstrmemdup(p, s, i);
@@ -1780,6 +1782,10 @@
             memcpy(&x[j], "&amp;", 5);
             j += 4;
         }
+        else if (s[i] == '"') {
+            memcpy(&x[j], "&quot;", 6);
+            j += 5;
+        }
         else
             x[j] = s[i];
 
--- modules/mappers/mod_imap.c	(revision 330526)
+++ modules/mappers/mod_imap.c	(working copy)
@@ -342,7 +342,7 @@
     if (!strcasecmp(value, "referer")) {
         referer = apr_table_get(r->headers_in, "Referer");
         if (referer && *referer) {
-	    return apr_pstrdup(r->pool, referer);
+	    return ap_escape_html(r->pool, referer);
         }
         else {
 	    /* XXX:  This used to do *value = '\0'; ... which is totally bogus
Commit	Line	Data
255cef4a	1	http://bugs.gentoo.org/show_bug.cgi?id=118875
	2
	3	--- server/util.c (revision 330526)
	4	+++ server/util.c (working copy)
	5	@@ -1762,6 +1762,8 @@
	6	j += 3;
	7	else if (s[i] == '&')
	8	j += 4;
	9	+ else if (s[i] == '"')
	10	+ j += 5;
	11
	12	if (j == 0)
	13	return apr_pstrmemdup(p, s, i);
	14	@@ -1780,6 +1782,10 @@
	15	memcpy(&x[j], "&", 5);
	16	j += 4;
	17	}
	18	+ else if (s[i] == '"') {
	19	+ memcpy(&x[j], """, 6);
	20	+ j += 5;
	21	+ }
	22	else
	23	x[j] = s[i];
	24
	25	--- modules/mappers/mod_imap.c (revision 330526)
	26	+++ modules/mappers/mod_imap.c (working copy)
	27	@@ -342,7 +342,7 @@
	28	if (!strcasecmp(value, "referer")) {
	29	referer = apr_table_get(r->headers_in, "Referer");
	30	if (referer && *referer) {
	31	- return apr_pstrdup(r->pool, referer);
	32	+ return ap_escape_html(r->pool, referer);
	33	}
	34	else {
	35	/* XXX: This used to do *value = '\0'; ... which is totally bogus