Security fix:

After decoding numeric (\N) and one-character (\<, \> etc.) character escape sequences, do not forget to HTML-encode the resulting ASCII character. Malicious manuals were able to smuggle XSS content by roff-escaping the HTML-special characters they need. That's a classic bug type in many web applications, actually... :-( Found myself while auditing the HTML formatter for safe output handling.
author: Ingo Schwarze <schwarze@openbsd.org> 2014-07-23 15:00:08 +0000
committer: Ingo Schwarze <schwarze@openbsd.org> 2014-07-23 15:00:08 +0000
commit: efa6734f7e00c3cb95d77b5b5007681f94dd570e (patch)
tree: 4adcc290b9b88b17586ac9d131a9a706bedafb9b /chars.c
parent: 3d2eb53149ca24b5957180553ec66503bbcd3e7b (diff)
download: mandoc-efa6734f7e00c3cb95d77b5b5007681f94dd570e.tar.gz
1 files changed, 12 insertions, 1 deletions
diff --git a/chars.c b/chars.c
index 1e9a186e..aee3fdf5 100644
--- a/chars.c
+++ b/chars.c
@@ -127,7 +127,18 @@ mchars_num2uc(const char *p, size_t sz)
 
 	if ((i = mandoc_strntoi(p, sz, 16)) < 0)
 		return('\0');
-	/* FIXME: make sure we're not in a bogus range. */
+
+	/*
+	 * Security warning:
+	 * Never extend the range of accepted characters
+	 * to overlap with the ASCII range, 0x00-0x7F
+	 * without re-auditing the callers of this function.
+	 * Some callers might relay on the fact that we never
+	 * return ASCII characters for their escaping decisions.
+	 *
+	 * XXX Code is missing here to exclude bogus ranges.
+	 */
+
 	return(i > 0x80 && i <= 0x10FFFF ? i : '\0');
 }
author	Ingo Schwarze <schwarze@openbsd.org>	2014-07-23 15:00:08 +0000
committer	Ingo Schwarze <schwarze@openbsd.org>	2014-07-23 15:00:08 +0000
commit	efa6734f7e00c3cb95d77b5b5007681f94dd570e (patch)
tree	4adcc290b9b88b17586ac9d131a9a706bedafb9b /chars.c
parent	3d2eb53149ca24b5957180553ec66503bbcd3e7b (diff)
download	mandoc-efa6734f7e00c3cb95d77b5b5007681f94dd570e.tar.gz