From: Fabian Keil Date: Tue, 2 Nov 2021 11:11:37 +0000 (+0100) Subject: cgi_error_no_template(): Encode the template name to prevent XSS X-Git-Tag: v_3_0_33~11 X-Git-Url: http://www.privoxy.org/gitweb/%22https:/developer-manual/faq/user-manual/appendix.html?a=commitdiff_plain;h=0e668e9409cbf4ab8bf2d79be204bd4e81a00d85;p=privoxy.git cgi_error_no_template(): Encode the template name to prevent XSS OVE-20211102-0001. CVE-2021-44543. Reported by: Artem Ivanov --- diff --git a/cgi.c b/cgi.c index cb1f0725..e92f7493 100644 --- a/cgi.c +++ b/cgi.c @@ -1199,7 +1199,8 @@ jb_err cgi_error_no_template(const struct client_state *csp, ").

\n" "\n" "\n"; - const size_t body_size = strlen(body_prefix) + strlen(template_name) + strlen(body_suffix) + 1; + size_t body_size = strlen(body_prefix) + strlen(body_suffix) + 1; + const char *encoded_template_name; assert(csp); assert(rsp); @@ -1213,9 +1214,17 @@ jb_err cgi_error_no_template(const struct client_state *csp, rsp->head_length = 0; rsp->is_static = 0; + encoded_template_name = html_encode(template_name); + if (encoded_template_name == NULL) + { + return JB_ERR_MEMORY; + } + + body_size += strlen(encoded_template_name); rsp->body = malloc_or_die(body_size); strlcpy(rsp->body, body_prefix, body_size); - strlcat(rsp->body, template_name, body_size); + strlcat(rsp->body, encoded_template_name, body_size); + freez(encoded_template_name); strlcat(rsp->body, body_suffix, body_size); rsp->status = strdup(status);