From: Fabian Keil <fk@fabiankeil.de>
Date: Tue, 2 Nov 2021 11:11:37 +0000 (+0100)
Subject: cgi_error_no_template(): Encode the template name to prevent XSS
X-Git-Tag: v_3_0_33~11
X-Git-Url: http://www.privoxy.org/gitweb/?p=privoxy.git;a=commitdiff_plain;h=0e668e9409cbf4ab8bf2d79be204bd4e81a00d85

cgi_error_no_template(): Encode the template name to prevent XSS

OVE-20211102-0001. CVE-2021-44543.

Reported by: Artem Ivanov
---

diff --git a/cgi.c b/cgi.c
index cb1f0725..e92f7493 100644
--- a/cgi.c
+++ b/cgi.c
@@ -1199,7 +1199,8 @@ jb_err cgi_error_no_template(const struct client_state *csp,
       ").</p>\n"
       "</body>\n"
       "</html>\n";
-   const size_t body_size = strlen(body_prefix) + strlen(template_name) + strlen(body_suffix) + 1;
+   size_t body_size = strlen(body_prefix) + strlen(body_suffix) + 1;
+   const char *encoded_template_name;
 
    assert(csp);
    assert(rsp);
@@ -1213,9 +1214,17 @@ jb_err cgi_error_no_template(const struct client_state *csp,
    rsp->head_length = 0;
    rsp->is_static = 0;
 
+   encoded_template_name = html_encode(template_name);
+   if (encoded_template_name == NULL)
+   {
+      return JB_ERR_MEMORY;
+   }
+
+   body_size += strlen(encoded_template_name);
    rsp->body = malloc_or_die(body_size);
    strlcpy(rsp->body, body_prefix, body_size);
-   strlcat(rsp->body, template_name, body_size);
+   strlcat(rsp->body, encoded_template_name, body_size);
+   freez(encoded_template_name);
    strlcat(rsp->body, body_suffix, body_size);
 
    rsp->status = strdup(status);