From: Vsevolod Stakhov <vsevolod@highsecure.ru>
Date: Wed, 23 Jan 2019 15:43:55 +0000 (+0000)
Subject: [CritFix] Html: Entities are not valid within tag params values
X-Git-Tag: 1.9.0~262
X-Git-Url: https://source.dussan.org/?a=commitdiff_plain;h=9c23b08876a546e6de060a2b7820189f8acf813f;p=rspamd.git

[CritFix] Html: Entities are not valid within tag params values
---

diff --git a/src/libserver/html.c b/src/libserver/html.c
index afaeae4c5..ee276d813 100644
--- a/src/libserver/html.c
+++ b/src/libserver/html.c
@@ -1148,18 +1148,15 @@ rspamd_html_parse_tag_content (rspamd_mempool_t *pool,
 			store = TRUE;
 			state = parse_end_dquote;
 		}
+
 		if (store) {
 			if (*savep != NULL) {
-				gchar *s;
-
 				g_assert (tag->params != NULL);
 				comp = g_queue_peek_tail (tag->params);
 				g_assert (comp != NULL);
 				comp->len = in - *savep;
-				s = rspamd_mempool_alloc (pool, comp->len);
-				memcpy (s, *savep, comp->len);
-				comp->len = rspamd_html_decode_entitles_inplace (s, comp->len);
-				comp->start = s;
+				comp->start = *savep;
+				/* We cannot use entities inside tag values ! */
 				*savep = NULL;
 			}
 		}
@@ -1172,16 +1169,11 @@ rspamd_html_parse_tag_content (rspamd_mempool_t *pool,
 		}
 		if (store) {
 			if (*savep != NULL) {
-				gchar *s;
-
 				g_assert (tag->params != NULL);
 				comp = g_queue_peek_tail (tag->params);
 				g_assert (comp != NULL);
 				comp->len = in - *savep;
-				s = rspamd_mempool_alloc (pool, comp->len);
-				memcpy (s, *savep, comp->len);
-				comp->len = rspamd_html_decode_entitles_inplace (s, comp->len);
-				comp->start = s;
+				comp->start = *savep;
 				*savep = NULL;
 			}
 		}
@@ -1199,16 +1191,11 @@ rspamd_html_parse_tag_content (rspamd_mempool_t *pool,
 
 		if (store) {
 			if (*savep != NULL) {
-				gchar *s;
-
 				g_assert (tag->params != NULL);
 				comp = g_queue_peek_tail (tag->params);
 				g_assert (comp != NULL);
 				comp->len = in - *savep;
-				s = rspamd_mempool_alloc (pool, comp->len);
-				memcpy (s, *savep, comp->len);
-				comp->len = rspamd_html_decode_entitles_inplace (s, comp->len);
-				comp->start = s;
+				comp->start = *savep;
 				*savep = NULL;
 			}
 		}
@@ -1319,9 +1306,12 @@ rspamd_html_process_url (rspamd_mempool_t *pool, const gchar *start, guint len,
 		}
 	}
 
-	/* We also need to remove all internal newlines and encode unsafe characters */
+	/*
+	 * We also need to remove all internal newlines, spaces
+	 * and encode unsafe characters
+	 */
 	for (i = 0; i < len; i ++) {
-		if (G_UNLIKELY (s[i] == '\r' || s[i] == '\n')) {
+		if (G_UNLIKELY (g_ascii_isspace (s[i]))) {
 			continue;
 		}
 		else if (G_UNLIKELY (((guint)s[i]) < 0x80 && !g_ascii_isgraph (s[i]))) {