You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by rp...@apache.org on 2007/12/29 10:39:23 UTC
svn commit: r607408 - in /httpd/httpd/branches/2.2.x: CHANGES STATUS
modules/generators/mod_status.c
Author: rpluem
Date: Sat Dec 29 01:39:23 2007
New Revision: 607408
URL: http://svn.apache.org/viewvc?rev=607408&view=rev
Log:
Merge r607282 from trunk:
* Ensure refresh parameter is numeric to prevent a possible XSS attack caused
by redirecting to other URLs. Reported by SecurityReason.
Submitted by: Mark Cox, Joe Orton
Reviewed by: rpluem, wrowe, jorton
Modified:
httpd/httpd/branches/2.2.x/CHANGES
httpd/httpd/branches/2.2.x/STATUS
httpd/httpd/branches/2.2.x/modules/generators/mod_status.c
Modified: httpd/httpd/branches/2.2.x/CHANGES
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.2.x/CHANGES?rev=607408&r1=607407&r2=607408&view=diff
==============================================================================
--- httpd/httpd/branches/2.2.x/CHANGES [utf-8] (original)
+++ httpd/httpd/branches/2.2.x/CHANGES [utf-8] Sat Dec 29 01:39:23 2007
@@ -1,9 +1,14 @@
-*- coding: utf-8 -*-
Changes with Apache 2.2.7
+ *) SECURITY: CVE-2007-6388 (cve.mitre.org)
+ mod_status: Ensure refresh parameter is numeric to prevent
+ a possible XSS attack caused by redirecting to other URLs.
+ Reported by SecurityReason. [Mark Cox, Joe Orton]
+
*) SECURITY: CVE-2007-5000 (cve.mitre.org)
mod_imagemap: Fix a cross-site scripting issue. Reported by JPCERT.
- [Joe Orton]
+ [Joe Orton]
*) http_protocol: Escape request method in 405 error reporting.
This has no security impact since the browser cannot be tricked
Modified: httpd/httpd/branches/2.2.x/STATUS
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.2.x/STATUS?rev=607408&r1=607407&r2=607408&view=diff
==============================================================================
--- httpd/httpd/branches/2.2.x/STATUS (original)
+++ httpd/httpd/branches/2.2.x/STATUS Sat Dec 29 01:39:23 2007
@@ -112,14 +112,6 @@
PATCHES ACCEPTED TO BACKPORT FROM TRUNK:
[ start all new proposals below, under PATCHES PROPOSED. ]
- * mod_status: Ensure refresh parameter is numeric to prevent a possible XSS
- attack caused by redirecting to other URLs.
- Trunk version of patch:
- http://svn.apache.org/viewvc?rev=607282&view=rev
- Backport version for 2.0.x of patch:
- http://awe.com/e8f6ad05238f8/CVE-2007-6388-httpd-2.x.patch
- +1: rpluem, wrowe, jorton
-
PATCHES PROPOSED TO BACKPORT FROM TRUNK:
[ New proposals should be added at the end of the list ]
Modified: httpd/httpd/branches/2.2.x/modules/generators/mod_status.c
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.2.x/modules/generators/mod_status.c?rev=607408&r1=607407&r2=607408&view=diff
==============================================================================
--- httpd/httpd/branches/2.2.x/modules/generators/mod_status.c (original)
+++ httpd/httpd/branches/2.2.x/modules/generators/mod_status.c Sat Dec 29 01:39:23 2007
@@ -71,6 +71,7 @@
#endif
#define APR_WANT_STRFUNC
#include "apr_want.h"
+#include "apr_strings.h"
#ifdef NEXT
#if (NX_CURRENT_COMPILER_RELEASE == 410)
@@ -296,19 +297,18 @@
if ((loc = ap_strstr_c(r->args,
status_options[i].form_data_str)) != NULL) {
switch (status_options[i].id) {
- case STAT_OPT_REFRESH:
- if (*(loc + strlen(status_options[i].form_data_str)) == '='
- && atol(loc + strlen(status_options[i].form_data_str)
- + 1) > 0)
- apr_table_set(r->headers_out,
- status_options[i].hdr_out_str,
- loc +
- strlen(status_options[i].hdr_out_str) +
- 1);
- else
- apr_table_set(r->headers_out,
- status_options[i].hdr_out_str, "1");
+ case STAT_OPT_REFRESH: {
+ apr_size_t len = strlen(status_options[i].form_data_str);
+ long t = 0;
+
+ if (*(loc + len ) == '=') {
+ t = atol(loc + len + 1);
+ }
+ apr_table_set(r->headers_out,
+ status_options[i].hdr_out_str,
+ apr_ltoa(r->pool, t < 1 ? 1 : t));
break;
+ }
case STAT_OPT_NOTABLE:
no_table_report = 1;
break;