Author: rmeggins Update of /cvs/dirsec/adminserver/admserv/cgi-src40 In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv3348/adminserver/admserv/cgi-src40 Modified Files: security.c Log Message: Resolves: bug 462411 Bug Description: certificate request wizard returns an error Reviewed by: nkinder (Thanks!) Fix Description: This was broken as part of the fix for the XSS issues. To fix that, in order to make sure we never displayed any string that contained unescaped HTML entities, we just go ahead and escape everything when we read the values from the CGI GET or POST arguments. For this particular bug, this meant the cert CGI was getting a DN like this: CN="ldap.example.com" instead of CN="ldap.example.com". The solution is to add some functions to adminutil (stolen from dsgw) that can be used to escape/unescape HTML entities. We have to be careful never to display unescaped strings - in this particular case, the DN is never printed. Platforms tested: RHEL5 Flag Day: yes - will require new adminutil, adminserver Doc impact: no Index: security.c =================================================================== RCS file: /cvs/dirsec/adminserver/admserv/cgi-src40/security.c,v retrieving revision 1.15 retrieving revision 1.16 diff -u -r1.15 -r1.16 --- security.c 14 Jul 2008 20:00:02 -0000 1.15 +++ security.c 3 Dec 2008 17:32:17 -0000 1.16 @@ -1165,6 +1165,9 @@ /* to do token here */ privateKey = generateKey(&publicKey, tokenName); + /* can be done in place */ + unescape_entities(DN); /* e.g. convert " to " */ + /* since DN now contains unescaped entities, it must never be displayed */ fprintf(stdout, HEADERREQUEST, _new?CERTREQ_NEW:CERTREQ_OLD); fprintf(stdout, "%s", BTOA_ConvertItemToAscii(generateCertificateRequest(privateKey, publicKey, DN))); fprintf(stdout, FOOTERREQUEST, _new?CERTREQ_NEW:CERTREQ_OLD);