From: Fabian Keil Date: Wed, 27 May 2020 08:15:24 +0000 (+0200) Subject: HTML-encode the certificate info shown in case of verification failures X-Git-Tag: v_3_0_29~382 X-Git-Url: http://www.privoxy.org/gitweb/%22https:/faq/developer-manual/man-page/static/newrelease.html?a=commitdiff_plain;h=792f1ac29229f719b18f76043ac11d78d1434a12;p=privoxy.git HTML-encode the certificate info shown in case of verification failures We don't want to allow code injection through crafted certificates. Sponsored by: Robert Klemme --- diff --git a/ssl.c b/ssl.c index beb74a2f..da456e6a 100644 --- a/ssl.c +++ b/ssl.c @@ -50,6 +50,7 @@ #include "errlog.h" #include "jcc.h" #include "ssl.h" +#include "encode.h" /* @@ -2143,8 +2144,15 @@ static int ssl_verify_callback(void *csp_void, mbedtls_x509_crt *crt, /* * Saving certificate information into buffer */ - mbedtls_x509_crt_info(last->text_buf, sizeof(last->text_buf) - 1, - CERT_INFO_PREFIX, crt); + { + char buf[CERT_INFO_BUF_SIZE]; + char *encoded_text; + + mbedtls_x509_crt_info(buf, sizeof(buf), CERT_INFO_PREFIX, crt); + encoded_text = html_encode(buf); + strlcpy(last->text_buf, encoded_text, sizeof(last->text_buf)); + freez(encoded_text); + } return 0; }