squid/CVE-2019-13345.patch

From be1dc8614e7514103ba84d4067ed6fd15ab8f82e Mon Sep 17 00:00:00 2001
From: Amos Jeffries <yadij@users.noreply.github.com>
Date: Fri, 5 Jul 2019 03:17:26 +0000
Subject: [PATCH] Bug 4957: Multiple XSS issues in cachemgr.cgi (#429)

The cachemgr.cgi web module of the squid proxy is vulnerable
to XSS issue. The vulnerable parameters "user_name" and "auth"
have insufficient sanitization in place.
---
 tools/cachemgr.cc | 14 ++++++++------
 1 file changed, 8 insertions(+), 6 deletions(-)

Index: squid-4.6/tools/cachemgr.cc
===================================================================
--- squid-4.6.orig/tools/cachemgr.cc	2019-07-11 13:05:23.027988071 -0400
+++ squid-4.6/tools/cachemgr.cc	2019-07-11 13:05:23.027988071 -0400
@@ -355,7 +355,7 @@ auth_html(const char *host, int port, co
 
     printf("<TR><TH ALIGN=\"left\">Manager name:</TH><TD><INPUT NAME=\"user_name\" ");
 
-    printf("size=\"30\" VALUE=\"%s\"></TD></TR>\n", user_name);
+    printf("size=\"30\" VALUE=\"%s\"></TD></TR>\n", rfc1738_escape(user_name));
 
     printf("<TR><TH ALIGN=\"left\">Password:</TH><TD><INPUT TYPE=\"password\" NAME=\"passwd\" ");
 
@@ -419,7 +419,7 @@ menu_url(cachemgr_request * req, const c
              script_name,
              req->hostname,
              req->port,
-             safe_str(req->user_name),
+             rfc1738_escape(safe_str(req->user_name)),
              action,
              safe_str(req->pub_auth));
     return url;
@@ -1074,8 +1074,8 @@ make_pub_auth(cachemgr_request * req)
     const int bufLen = snprintf(buf, sizeof(buf), "%s|%d|%s|%s",
                                 req->hostname,
                                 (int) now,
-                                req->user_name ? req->user_name : "",
-                                req->passwd);
+                                rfc1738_escape(safe_str(req->user_name)),
+                                rfc1738_escape(req->passwd));
     debug("cmgr: pre-encoded for pub: %s\n", buf);
 
     const int encodedLen = base64_encode_len(bufLen);
@@ -1094,7 +1094,5 @@ decode_pub_auth(cachemgr_request * req)
     const char *host_name;
     const char *time_str;
-    const char *user_name;
-    const char *passwd;
 
     debug("cmgr: decoding pub: '%s'\n", safe_str(req->pub_auth));
     safe_free(req->passwd);
@@ -1131,17 +1129,21 @@ decode_pub_auth(cachemgr_request * req)
 
     debug("cmgr: decoded time: '%s' (now: %d)\n", time_str, (int) now);
 
+    char *user_name;
     if ((user_name = strtok(NULL, "|")) == NULL) {
         xfree(buf);
         return;
     }
+    rfc1738_unescape(user_name);
 
     debug("cmgr: decoded uname: '%s'\n", user_name);
 
+    char *passwd;
     if ((passwd = strtok(NULL, "|")) == NULL) {
         xfree(buf);
         return;
     }
+    rfc1738_unescape(passwd);
 
     debug("cmgr: decoded passwd: '%s'\n", passwd);
Package init 2019-09-30 11:17:36 -04:00			`From be1dc8614e7514103ba84d4067ed6fd15ab8f82e Mon Sep 17 00:00:00 2001`
			`From: Amos Jeffries <yadij@users.noreply.github.com>`
			`Date: Fri, 5 Jul 2019 03:17:26 +0000`
			`Subject: [PATCH] Bug 4957: Multiple XSS issues in cachemgr.cgi (#429)`

			`The cachemgr.cgi web module of the squid proxy is vulnerable`
			`to XSS issue. The vulnerable parameters "user_name" and "auth"`
			`have insufficient sanitization in place.`
			`---`
			`tools/cachemgr.cc \| 14 ++++++++------`
			`1 file changed, 8 insertions(+), 6 deletions(-)`

			`Index: squid-4.6/tools/cachemgr.cc`
			`===================================================================`
			`--- squid-4.6.orig/tools/cachemgr.cc 2019-07-11 13:05:23.027988071 -0400`
			`+++ squid-4.6/tools/cachemgr.cc 2019-07-11 13:05:23.027988071 -0400`
			`@@ -355,7 +355,7 @@ auth_html(const char *host, int port, co`

			`printf("<TR><TH ALIGN=\"left\">Manager name:</TH><TD><INPUT NAME=\"user_name\" ");`

			`- printf("size=\"30\" VALUE=\"%s\"></TD></TR>\n", user_name);`
			`+ printf("size=\"30\" VALUE=\"%s\"></TD></TR>\n", rfc1738_escape(user_name));`

			`printf("<TR><TH ALIGN=\"left\">Password:</TH><TD><INPUT TYPE=\"password\" NAME=\"passwd\" ");`

			`@@ -419,7 +419,7 @@ menu_url(cachemgr_request * req, const c`
			`script_name,`
			`req->hostname,`
			`req->port,`
			`- safe_str(req->user_name),`
			`+ rfc1738_escape(safe_str(req->user_name)),`
			`action,`
			`safe_str(req->pub_auth));`
			`return url;`
			`@@ -1074,8 +1074,8 @@ make_pub_auth(cachemgr_request * req)`
			`const int bufLen = snprintf(buf, sizeof(buf), "%s\|%d\|%s\|%s",`
			`req->hostname,`
			`(int) now,`
			`- req->user_name ? req->user_name : "",`
			`- req->passwd);`
			`+ rfc1738_escape(safe_str(req->user_name)),`
			`+ rfc1738_escape(req->passwd));`
			`debug("cmgr: pre-encoded for pub: %s\n", buf);`

			`const int encodedLen = base64_encode_len(bufLen);`
			`@@ -1094,7 +1094,5 @@ decode_pub_auth(cachemgr_request * req)`
			`const char *host_name;`
			`const char *time_str;`
			`- const char *user_name;`
			`- const char *passwd;`

			`debug("cmgr: decoding pub: '%s'\n", safe_str(req->pub_auth));`
			`safe_free(req->passwd);`
			`@@ -1131,17 +1129,21 @@ decode_pub_auth(cachemgr_request * req)`

			`debug("cmgr: decoded time: '%s' (now: %d)\n", time_str, (int) now);`

			`+ char *user_name;`
			`if ((user_name = strtok(NULL, "\|")) == NULL) {`
			`xfree(buf);`
			`return;`
			`}`
			`+ rfc1738_unescape(user_name);`

			`debug("cmgr: decoded uname: '%s'\n", user_name);`

			`+ char *passwd;`
			`if ((passwd = strtok(NULL, "\|")) == NULL) {`
			`xfree(buf);`
			`return;`
			`}`
			`+ rfc1738_unescape(passwd);`

			`debug("cmgr: decoded passwd: '%s'\n", passwd);`