From ced40a2efce9e93f2a6bbefae0e42d680d633cda Mon Sep 17 00:00:00 2001 From: schwarze Date: Tue, 22 Jul 2014 22:41:29 +0000 Subject: [PATCH] Security fix: The function print_encode() is used both for plain text and for quoted attribute values. Escape the '"' character such that malicious manuals cannot pull off XSS attacks using malformed .Lk, .Mt, .%U, and .UR macros (and maybe others) to trigger the latter case. In the former case, escaping does no harm. Issue found by Sebastien Marie . --- usr.bin/mandoc/html.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/usr.bin/mandoc/html.c b/usr.bin/mandoc/html.c index 50a1f7ac1f5..4bd617bb7a7 100644 --- a/usr.bin/mandoc/html.c +++ b/usr.bin/mandoc/html.c @@ -1,4 +1,4 @@ -/* $Id: html.c,v 1.36 2014/04/23 16:07:06 schwarze Exp $ */ +/* $Id: html.c,v 1.37 2014/07/22 22:41:29 schwarze Exp $ */ /* * Copyright (c) 2008, 2009, 2010, 2011 Kristaps Dzonsons * Copyright (c) 2011, 2012, 2013, 2014 Ingo Schwarze @@ -326,7 +326,7 @@ print_encode(struct html *h, const char *p, int norecurse) int c, len, nospace; const char *seq; enum mandoc_esc esc; - static const char rejs[8] = { '\\', '<', '>', '&', + static const char rejs[9] = { '\\', '<', '>', '&', '"', ASCII_NBRSP, ASCII_HYPH, ASCII_BREAK, '\0' }; nospace = 0; @@ -356,6 +356,9 @@ print_encode(struct html *h, const char *p, int norecurse) case '&': printf("&"); continue; + case '"': + printf("""); + continue; case ASCII_NBRSP: putchar('-'); continue; -- 2.20.1