diff options
author | Ingo Schwarze <schwarze@openbsd.org> | 2014-07-23 15:00:08 +0000 |
---|---|---|
committer | Ingo Schwarze <schwarze@openbsd.org> | 2014-07-23 15:00:08 +0000 |
commit | 6f5332923fc94cad0bee91d0c1fa8be521828d5c (patch) | |
tree | 2e8849fe31297bf03a63cdfed8e5a75d1c933097 /chars.c | |
parent | 5958bb58d226401788b8cb09c2a2b93dc28de2d5 (diff) | |
download | mandoc-6f5332923fc94cad0bee91d0c1fa8be521828d5c.tar.gz mandoc-6f5332923fc94cad0bee91d0c1fa8be521828d5c.tar.zst mandoc-6f5332923fc94cad0bee91d0c1fa8be521828d5c.zip |
Security fix:
After decoding numeric (\N) and one-character (\<, \> etc.)
character escape sequences, do not forget to HTML-encode the
resulting ASCII character. Malicious manuals were able to smuggle
XSS content by roff-escaping the HTML-special characters they need.
That's a classic bug type in many web applications, actually... :-(
Found myself while auditing the HTML formatter for safe output handling.
Diffstat (limited to 'chars.c')
-rw-r--r-- | chars.c | 15 |
1 files changed, 13 insertions, 2 deletions
@@ -1,4 +1,4 @@ -/* $Id: chars.c,v 1.57 2014/04/20 16:46:04 schwarze Exp $ */ +/* $Id: chars.c,v 1.58 2014/07/23 15:00:08 schwarze Exp $ */ /* * Copyright (c) 2009, 2010, 2011 Kristaps Dzonsons <kristaps@bsd.lv> * Copyright (c) 2011 Ingo Schwarze <schwarze@openbsd.org> @@ -127,7 +127,18 @@ mchars_num2uc(const char *p, size_t sz) if ((i = mandoc_strntoi(p, sz, 16)) < 0) return('\0'); - /* FIXME: make sure we're not in a bogus range. */ + + /* + * Security warning: + * Never extend the range of accepted characters + * to overlap with the ASCII range, 0x00-0x7F + * without re-auditing the callers of this function. + * Some callers might relay on the fact that we never + * return ASCII characters for their escaping decisions. + * + * XXX Code is missing here to exclude bogus ranges. + */ + return(i > 0x80 && i <= 0x10FFFF ? i : '\0'); } |