You are viewing a plain text version of this content. The canonical link for it is here.
Posted to bugs@httpd.apache.org by bu...@apache.org on 2006/03/09 17:42:37 UTC
DO NOT REPLY [Bug 38910] New: - mod_autoindex prints unescaped filenames
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=38910>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=38910
Summary: mod_autoindex prints unescaped filenames
Product: Apache httpd-2
Version: 2.2.0
Platform: All
OS/Version: All
Status: NEW
Severity: minor
Priority: P2
Component: mod_autoindex
AssignedTo: bugs@httpd.apache.org
ReportedBy: rmg@terc.edu
In the default configuration of Apache httpd-2.2.0, filenames printed by
mod_autoindex are not properly html-escaped. This can inject arbitrary html
directly in the autoindex output, potentially making it unusable for navigation
purposes. For example:
[build, install, and run httpd-2.2.0]
cd $PREFIX/htdocs
mkdir foo
touch "foo/<body onload=alert(1)>"
[visit /foo/ in a browser (tested with Firefox)]
[an alert dialog appears]
Earlier versions of Apache httpd do contain this bug, but are not affected in
their default configurations. The difference is that versions prior to 2.2.0
have "IndexOptions FancyIndexing" enabled in the default httpd.conf, so a
different code path is used to display the filenames.
Here's a patch against 2.2.0 (and probably applicable to earlier versions) which
adds the necessary escaping to the displayed filename in non-fancy, non-table
autoindex output. I'll include it inline because I don't see how to attach a
file in Bugzilla.
--- httpd-2.2.0/modules/generators/mod_autoindex.c.orig Thu Nov 10 09:20:05 2005
+++ httpd-2.2.0/modules/generators/mod_autoindex.c Thu Mar 9 02:42:54 2006
@@ -1819,8 +1819,9 @@
ap_rputc('\n', r);
}
else {
- ap_rvputs(r, "<li><a href=\"", anchor, "\"> ", t2,
- "</a></li>\n", NULL);
+ ap_rvputs(r, "<li><a href=\"", anchor, "\"> ",
+ ap_escape_html(scratch, t2),
+ "</a></li>\n", NULL);
}
}
if (autoindex_opts & TABLE_INDEXING) {
--
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
DO NOT REPLY [Bug 38910] - mod_autoindex prints unescaped filenames
Posted by bu...@apache.org.
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=38910>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=38910
------- Additional Comments From rmg@terc.edu 2006-03-09 16:49 -------
Created an attachment (id=17857)
--> (http://issues.apache.org/bugzilla/attachment.cgi?id=17857&action=view)
adds proper html escaping
Ok, fine, so I can add an attachment after first creating the bug report.
--
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
DO NOT REPLY [Bug 38910] - mod_autoindex prints unescaped filenames
Posted by bu...@apache.org.
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=38910>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=38910
wrowe@apache.org changed:
What |Removed |Added
----------------------------------------------------------------------------
Keywords| |PatchAvailable
------- Additional Comments From wrowe@apache.org 2006-03-09 19:19 -------
Thank you for your patch; it appears this affects 2.0 and 1.3 httpd as well?
We very rarely patch httpd 1.3, but this looks like one of those rare examples
of a very clean change affecting all versions.
--
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
DO NOT REPLY [Bug 38910] - mod_autoindex prints unescaped filenames
Posted by bu...@apache.org.
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=38910>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=38910
jorton@redhat.com changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |RESOLVED
Resolution| |FIXED
------- Additional Comments From jorton@redhat.com 2006-05-17 14:40 -------
Thanks a lot for the patch. Committed to trunk:
http://svn.apache.org/viewcvs.cgi?rev=407265&view=rev
and proposed for 2.2.x.
--
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
DO NOT REPLY [Bug 38910] - mod_autoindex prints unescaped filenames
Posted by bu...@apache.org.
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=38910>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=38910
------- Additional Comments From rmg@terc.edu 2006-03-09 19:28 -------
(In reply to comment #2)
> Thank you for your patch; it appears this affects 2.0 and 1.3 httpd as well?
Yes, that's correct.
--
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org