You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by jo...@apache.org on 2012/06/13 17:33:49 UTC

svn commit: r1349905 - in /httpd/httpd/trunk: CHANGES modules/mappers/mod_negotiation.c

Author: jorton
Date: Wed Jun 13 15:33:48 2012
New Revision: 1349905

URL: http://svn.apache.org/viewvc?rev=1349905&view=rev
Log:
SECURITY: CVE-2012-2687 (cve.mitre.org):

mod_negotiation: Escape filenames in variant list to prevent an
possible XSS for a site where untrusted users can upload files to a
location with MultiViews enabled.

* modules/mappers/mod_negotiation.c (make_variant_list): Escape
  filenames in variant list.

Submitted by: Niels Heinen <heinenn google.com>

Modified:
    httpd/httpd/trunk/CHANGES
    httpd/httpd/trunk/modules/mappers/mod_negotiation.c

Modified: httpd/httpd/trunk/CHANGES
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/CHANGES?rev=1349905&r1=1349904&r2=1349905&view=diff
==============================================================================
--- httpd/httpd/trunk/CHANGES [utf-8] (original)
+++ httpd/httpd/trunk/CHANGES [utf-8] Wed Jun 13 15:33:48 2012
@@ -1,6 +1,11 @@
                                                          -*- coding: utf-8 -*-
 Changes with Apache 2.5.0
 
+  *) SECURITY: CVE-2012-2687 (cve.mitre.org)
+     mod_negotiation: Escape filenames in variant list to prevent an
+     possible XSS for a site where untrusted users can upload files to
+     a location with MultiViews enabled. [Niels Heinen <heinenn google.com>]
+
   *) mod_ssl: If exiting during initialization because of a fatal error,
      log a message to the main error log pointing to the appropriate
      virtual host error log. [Stefan Fritsch]

Modified: httpd/httpd/trunk/modules/mappers/mod_negotiation.c
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/mappers/mod_negotiation.c?rev=1349905&r1=1349904&r2=1349905&view=diff
==============================================================================
--- httpd/httpd/trunk/modules/mappers/mod_negotiation.c (original)
+++ httpd/httpd/trunk/modules/mappers/mod_negotiation.c Wed Jun 13 15:33:48 2012
@@ -2656,9 +2656,9 @@ static char *make_variant_list(request_r
          * need to change the calculation of max_vlist_array above.
          */
         *((const char **) apr_array_push(arr)) = "<li><a href=\"";
-        *((const char **) apr_array_push(arr)) = filename;
+        *((const char **) apr_array_push(arr)) = ap_escape_path_segment(r->pool, filename);
         *((const char **) apr_array_push(arr)) = "\">";
-        *((const char **) apr_array_push(arr)) = filename;
+        *((const char **) apr_array_push(arr)) = ap_escape_html(r->pool, filename);
         *((const char **) apr_array_push(arr)) = "</a> ";
         *((const char **) apr_array_push(arr)) = description;