cgi_error_no_template(): Encode the template name to prevent XSS

OVE-20211102-0001. CVE-2021-44543.

Reported by: Artem Ivanov

diff --git a/cgi.c b/cgi.c
index cb1f072..e92f749 100644 (file)
--- a/cgi.c
+++ b/cgi.c
@@ -1199,7 +1199,8 @@ jb_err cgi_error_no_template(const struct client_state *csp,
       ").</p>\n"
       "</body>\n"
       "</html>\n";
       ").</p>\n"
       "</body>\n"
       "</html>\n";

-   const size_t body_size = strlen(body_prefix) + strlen(template_name) + strlen(body_suffix) + 1;
+   size_t body_size = strlen(body_prefix) + strlen(body_suffix) + 1;
+   const char *encoded_template_name;

 
    assert(csp);
    assert(rsp);
 
    assert(csp);
    assert(rsp);


@@ -1213,9 +1214,17 @@ jb_err cgi_error_no_template(const struct client_state *csp,
    rsp->head_length = 0;
    rsp->is_static = 0;
 
    rsp->head_length = 0;
    rsp->is_static = 0;
 

+   encoded_template_name = html_encode(template_name);
+   if (encoded_template_name == NULL)
+   {
+      return JB_ERR_MEMORY;
+   }
+
+   body_size += strlen(encoded_template_name);

    rsp->body = malloc_or_die(body_size);
    strlcpy(rsp->body, body_prefix, body_size);
    rsp->body = malloc_or_die(body_size);
    strlcpy(rsp->body, body_prefix, body_size);

-   strlcat(rsp->body, template_name, body_size);
+   strlcat(rsp->body, encoded_template_name, body_size);
+   freez(encoded_template_name);

    strlcat(rsp->body, body_suffix, body_size);
 
    rsp->status = strdup(status);
    strlcat(rsp->body, body_suffix, body_size);
 
    rsp->status = strdup(status);