From 792f1ac29229f719b18f76043ac11d78d1434a12 Mon Sep 17 00:00:00 2001
From: Fabian Keil <fk@fabiankeil.de>
Date: Wed, 27 May 2020 10:15:24 +0200
Subject: [PATCH] HTML-encode the certificate info shown in case of
 verification failures

We don't want to allow code injection through crafted certificates.

Sponsored by: Robert Klemme
---
 ssl.c | 12 ++++++++++--
 1 file changed, 10 insertions(+), 2 deletions(-)

diff --git a/ssl.c b/ssl.c
index beb74a2f..da456e6a 100644
--- a/ssl.c
+++ b/ssl.c
@@ -50,6 +50,7 @@
 #include "errlog.h"
 #include "jcc.h"
 #include "ssl.h"
+#include "encode.h"
 
 
 /*
@@ -2143,8 +2144,15 @@ static int ssl_verify_callback(void *csp_void, mbedtls_x509_crt *crt,
    /*
     * Saving certificate information into buffer
     */
-   mbedtls_x509_crt_info(last->text_buf, sizeof(last->text_buf) - 1,
-      CERT_INFO_PREFIX, crt);
+   {
+      char buf[CERT_INFO_BUF_SIZE];
+      char *encoded_text;
+
+      mbedtls_x509_crt_info(buf, sizeof(buf), CERT_INFO_PREFIX, crt);
+      encoded_text = html_encode(buf);
+      strlcpy(last->text_buf, encoded_text, sizeof(last->text_buf));
+      freez(encoded_text);
+   }
 
    return 0;
 }
-- 
2.39.2