* mdocml: Security fix: The function print_encode() is used both for plain
@ 2014-07-22 22:41 schwarze
0 siblings, 0 replies; only message in thread
From: schwarze @ 2014-07-22 22:41 UTC (permalink / raw)
To: source
Log Message:
-----------
Security fix:
The function print_encode() is used both for plain text
and for quoted attribute values.
Escape the '"' character such that malicious manuals cannot pull off
XSS attacks using malformed .Lk, .Mt, .%U, and .UR macros (and maybe
others) to trigger the latter case.
In the former case, escaping does no harm.
Issue found by Sebastien Marie <semarie-openbsd at latrappe dot fr>.
Modified Files:
--------------
mdocml:
html.c
Revision Data
-------------
Index: html.c
===================================================================
RCS file: /usr/vhosts/mdocml.bsd.lv/cvs/mdocml/html.c,v
retrieving revision 1.157
retrieving revision 1.158
diff -Lhtml.c -Lhtml.c -u -p -r1.157 -r1.158
--- html.c
+++ html.c
@@ -330,7 +330,7 @@ print_encode(struct html *h, const char
int c, len, nospace;
const char *seq;
enum mandoc_esc esc;
- static const char rejs[8] = { '\\', '<', '>', '&',
+ static const char rejs[9] = { '\\', '<', '>', '&', '"',
ASCII_NBRSP, ASCII_HYPH, ASCII_BREAK, '\0' };
nospace = 0;
@@ -359,6 +359,9 @@ print_encode(struct html *h, const char
continue;
case '&':
printf("&");
+ continue;
+ case '"':
+ printf(""");
continue;
case ASCII_NBRSP:
putchar('-');
--
To unsubscribe send an email to source+unsubscribe@mdocml.bsd.lv
^ permalink raw reply [flat|nested] only message in thread
only message in thread, other threads:[~2014-07-22 22:41 UTC | newest]
Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2014-07-22 22:41 mdocml: Security fix: The function print_encode() is used both for plain schwarze
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).