Fix bug 326297: various security holes caused by lack of quoting around

displayed URLs.

include/net.h

@@ -1912,6 +1912,12 @@ extern char* NET_ScanHTMLForURLs(const char* input);
 extern char * NET_EscapeHTML(const char * string);
 
 
+/* escapes doubles quotes in a url, to protect
+ * the html page embedding the url.
+ */
+extern char * NET_EscapeDoubleQuote(const char * string);
+
+
 /* register a newsrc file mapping
  */
 extern Bool NET_RegisterNewsrcFile(char *filename, 

lib/layout/layinfo.c

@@ -451,6 +451,7 @@ LO_DocumentInfo(MWContext *context, NET_StreamClass *stream)
 	char *backdrop_image_url;
 	char *url;
 	char *base_url;
+	char *escaped;
 	lo_FormData *form_list;
 
 	if (context == NULL)
@@ -488,12 +489,16 @@ LO_DocumentInfo(MWContext *context, NET_StreamClass *stream)
 		char buf[1024];
 
 		url = XP_STRDUP(top_state->url);
-		XP_STRCPY(buf, "<A TARGET=Internal_URL_Info HREF=about:");
+		XP_STRCPY(buf, "<A TARGET=Internal_URL_Info HREF=\"about:");
 		STREAM_WRITE(buf);
-		STREAM_WRITE(url);
+		escaped = NET_EscapeDoubleQuote(url);
-		XP_STRCPY(buf,">");
+		STREAM_WRITE(escaped);
+		PR_Free(escaped);
+		XP_STRCPY(buf,"\">");
 		STREAM_WRITE(buf);
-		STREAM_WRITE(url);
+		escaped = NET_EscapeHTML(url);
+		STREAM_WRITE(escaped);
+		PR_Free(escaped);
 		XP_STRCPY(buf,"</A><UL>");
 		STREAM_WRITE(buf);
 		XP_FREE(url);

lib/libmisc/glhist.c

@@ -902,6 +902,7 @@ NET_DisplayGlobalHistoryInfoAsHTML(MWContext *context,
 	time_t entry_date;
 	int status = MK_NO_DATA;
 	int32 count=0;
+	char *escaped;
 	static char LINK_START[] = "<A href=\"";
 	static char LINK_END[] = "\">";
 	static char END_LINK[] = "</A>";
@@ -983,9 +984,9 @@ PUT_PART(buffer);
 		if(status < 0)
   			goto END;
 
-		/* push the key special since we know the size */
+		escaped = NET_EscapeDoubleQuote((char*)key.data);
-		status = (*stream->put_block)(stream,
+		PUT_PART(escaped);
-									  (char*)key.data, key.size);
+		XP_FREE(escaped);
 		if(status < 0)
   			goto END;
 
@@ -993,9 +994,9 @@ PUT_PART(buffer);
 		if(status < 0)
   			goto END;
 
-		/* push the key special since we know the size */
+		escaped = NET_EscapeHTML((char*)key.data);
-		status = (*stream->put_block)(stream,
+		PUT_PART(escaped);
-									  (char*)key.data, key.size);
+		XP_FREE(escaped);
 		if(status < 0)
   			goto END;
 

modules/libimg/src/ilclient.cpp

@@ -20,7 +20,7 @@
  *   ilclient.c --- Management of imagelib client data structures,
  *                  including image cache.
  *
- *   $Id: ilclient.cpp,v 3.3 1998-09-09 19:08:32 pnunn%netscape.com Exp $
+ *   $Id: ilclient.cpp,v 3.4 1998-10-01 00:23:05 norris%netscape.com Exp $
  */
 
 
@@ -964,12 +964,14 @@ IL_DisplayMemCacheInfoAsHTML(FO_Present_Types format_out, URL_Struct *urls,
 
             /* Emit DocInfo link to URL */
             address = ic->url_address;
-            PL_strcpy(buffer, "<A TARGET=Internal_URL_Info HREF=about:");
+            PL_strcpy(buffer, "<A TARGET=Internal_URL_Info HREF=\"about:");
-            PL_strcat(buffer, address);
+            escaped = NET_EscapeDoubleQuote(address);
-            PL_strcat(buffer, ">");
+            PL_strcat(buffer, escaped);
+            PR_Free(escaped);
+            PL_strcat(buffer, "\">");
             escaped = NET_EscapeHTML(address);
             PL_strcat(buffer, escaped);
-            PR_FREEIF(escaped);
+            PR_Free(escaped);
             PL_strcat(buffer, "</A>");
             ADD_CELL("URL:", buffer);
             

network/cache/mkcache.c

@@ -3661,10 +3661,12 @@ PUT_PART(buffer);
 			address = (char *)key.data+8;
 
 			TABLE_TOP("URL:");
-			PL_strcpy(buffer, "<A TARGET=Internal_URL_Info HREF=about:");
+			PL_strcpy(buffer, "<A TARGET=Internal_URL_Info HREF=\"about:");
 			PUT_PART(buffer);
-			PUT_PART(address);
+			escaped = NET_EscapeDoubleQuote(address);
-			PL_strcpy(buffer, ">");
+			PUT_PART(escaped);
+			PR_Free(escaped);
+			PL_strcpy(buffer, "\">");
 			PUT_PART(buffer);
 			escaped = NET_EscapeHTML(address);
 			PUT_PART(escaped);

network/cache/mkmemcac.c

@@ -1857,10 +1857,12 @@ PUT_PART(buffer);
 
 		/* put the URL out there */
 		TABLE_TOP("URL:");
-		PL_strcpy(buffer, "<A TARGET=Internal_URL_Info HREF=about:");
+		PL_strcpy(buffer, "<A TARGET=Internal_URL_Info HREF=\"about:");
 		PUT_PART(buffer);
-		PUT_PART(address);
+		escaped = NET_EscapeDoubleQuote(address);
-		PL_strcpy(buffer, ">");
+		PUT_PART(escaped);
+		PR_Free(escaped);
+		XP_STRCPY(buffer, "\">");
 		PUT_PART(buffer);
 		escaped = NET_EscapeHTML(address);
 		PUT_PART(escaped);

network/main/mkutils.c

@@ -2269,6 +2269,34 @@ NET_EscapeHTML(const char * string)
 	return(rv);
 }
 
+/* URL-encode all '"' characters in a string into %22.
+ * returns a string that must be freed
+ */
+PUBLIC char *
+NET_EscapeDoubleQuote(const char * string)
+{
+	char *rv = (char *) PR_Malloc(PL_strlen(string)*3 + 1);
+	char *ptr = rv;
+	if (rv) 
+	  {
+		for (; *string != '\0'; string++) 
+		  {
+			if (*string == '"')
+			  {
+				*ptr++ = '%';
+				*ptr++ = '2';
+				*ptr++ = '2';
+			  }
+			else
+			  {
+				*ptr++ = *string;
+			  }
+		  }
+		*ptr = '\0';
+	  }
+	return rv;
+}
+
 
 PUBLIC char *
 NET_SpaceToPlus(char * string)

network/protocol/about/mkabout.c

@@ -64,6 +64,7 @@ net_OutputURLDocInfo(MWContext *ctxt, char *which, char **data, int32 *length)
 	struct tm *tm_struct_p;
 	char buf[64];
 	char *tmp=0;
+	char *escaped;
 	char *sec_msg, *il_msg;
 
 	NET_FindURLInCache(URL_s, ctxt);
@@ -92,9 +93,13 @@ net_OutputURLDocInfo(MWContext *ctxt, char *which, char **data, int32 *length)
 	StrAllocCopy(output, "<TABLE>");
 
 	StrAllocCopy(tmp, "<A HREF=\"");
-	StrAllocCat(tmp, URL_s->address);
+	escaped = NET_EscapeDoubleQuote(URL_s->address);
+	StrAllocCat(tmp, escaped);
+	PR_Free(escaped);
 	StrAllocCat(tmp, "\">");
-	StrAllocCat(tmp, URL_s->address);
+	escaped = NET_EscapeHTML(URL_s->address);
+	StrAllocCat(tmp, escaped);
+	PR_Free(escaped);
 	StrAllocCat(tmp, "</a>");
 	if(URL_s->is_netsite)
 	  {