From 6f5332923fc94cad0bee91d0c1fa8be521828d5c Mon Sep 17 00:00:00 2001
From: Ingo Schwarze <schwarze@openbsd.org>
Date: Wed, 23 Jul 2014 15:00:08 +0000
Subject: Security fix: After decoding numeric (\N) and one-character (\<, \>
 etc.) character escape sequences, do not forget to HTML-encode the resulting
 ASCII character.  Malicious manuals were able to smuggle XSS content by
 roff-escaping the HTML-special characters they need. That's a classic bug
 type in many web applications, actually...  :-(

Found myself while auditing the HTML formatter for safe output handling.
---
 chars.c | 15 +++++++++++++--
 1 file changed, 13 insertions(+), 2 deletions(-)

(limited to 'chars.c')

diff --git a/chars.c b/chars.c
index baa56003..d758d0cc 100644
--- a/chars.c
+++ b/chars.c
@@ -1,4 +1,4 @@
-/*	$Id: chars.c,v 1.57 2014/04/20 16:46:04 schwarze Exp $ */
+/*	$Id: chars.c,v 1.58 2014/07/23 15:00:08 schwarze Exp $ */
 /*
  * Copyright (c) 2009, 2010, 2011 Kristaps Dzonsons <kristaps@bsd.lv>
  * Copyright (c) 2011 Ingo Schwarze <schwarze@openbsd.org>
@@ -127,7 +127,18 @@ mchars_num2uc(const char *p, size_t sz)
 
 	if ((i = mandoc_strntoi(p, sz, 16)) < 0)
 		return('\0');
-	/* FIXME: make sure we're not in a bogus range. */
+
+	/*
+	 * Security warning:
+	 * Never extend the range of accepted characters
+	 * to overlap with the ASCII range, 0x00-0x7F
+	 * without re-auditing the callers of this function.
+	 * Some callers might relay on the fact that we never
+	 * return ASCII characters for their escaping decisions.
+	 *
+	 * XXX Code is missing here to exclude bogus ranges.
+	 */
+
 	return(i > 0x80 && i <= 0x10FFFF ? i : '\0');
 }
 
-- 
cgit v1.2.3-56-ge451