You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by jo...@apache.org on 2007/12/12 13:36:55 UTC

svn commit: r603597 - in /httpd/httpd/branches/1.3.x/src: CHANGES modules/standard/mod_imap.c

Author: jorton
Date: Wed Dec 12 04:36:54 2007
New Revision: 603597

URL: http://svn.apache.org/viewvc?rev=603597&view=rev
Log:
Fix CVE-2007-5000:

* src/modules/standard/mod_imap.c (menu_header): Fix cross-site
  scripting issue by escaping the URI, and ensure that a charset
  parameter is sent in the content-type to prevent autodetection by
  broken browsers.

Reported by: JPCERT

Modified:
    httpd/httpd/branches/1.3.x/src/CHANGES
    httpd/httpd/branches/1.3.x/src/modules/standard/mod_imap.c

Modified: httpd/httpd/branches/1.3.x/src/CHANGES
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/1.3.x/src/CHANGES?rev=603597&r1=603596&r2=603597&view=diff
==============================================================================
--- httpd/httpd/branches/1.3.x/src/CHANGES (original)
+++ httpd/httpd/branches/1.3.x/src/CHANGES Wed Dec 12 04:36:54 2007
@@ -1,5 +1,9 @@
 Changes with Apache 1.3.40
 
+  *) SECURITY: CVE-2007-5000 (cve.mitre.org)
+     mod_imap: Fix cross-site scripting issue.  Reported by JPCERT.
+    [Joe Orton]
+
   *) SECURITY: CVE-2007-3847 (cve.mitre.org)
      mod_proxy: Prevent reading past the end of a buffer when parsing
      date-related headers.  PR 41144.

Modified: httpd/httpd/branches/1.3.x/src/modules/standard/mod_imap.c
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/1.3.x/src/modules/standard/mod_imap.c?rev=603597&r1=603596&r2=603597&view=diff
==============================================================================
--- httpd/httpd/branches/1.3.x/src/modules/standard/mod_imap.c (original)
+++ httpd/httpd/branches/1.3.x/src/modules/standard/mod_imap.c Wed Dec 12 04:36:54 2007
@@ -463,7 +463,7 @@
 
 static void menu_header(request_rec *r, char *menu)
 {
-    r->content_type = "text/html";
+    r->content_type = "text/html; charset=ISO-8859-1";
     ap_send_http_header(r);
 #ifdef CHARSET_EBCDIC
     /* Server-generated response, converted */
@@ -471,11 +471,13 @@
 #endif
     ap_hard_timeout("send menu", r);       /* killed in menu_footer */
 
-    ap_rvputs(r, DOCTYPE_HTML_3_2, "<html><head>\n<title>Menu for ", r->uri,
-           "</title>\n</head><body>\n", NULL);
+    ap_rvputs(r, DOCTYPE_HTML_3_2, "<html><head>\n<title>Menu for ", 
+              ap_escape_html(r->pool, r->uri),
+              "</title>\n</head><body>\n", NULL);
 
     if (!strcasecmp(menu, "formatted")) {
-        ap_rvputs(r, "<h1>Menu for ", r->uri, "</h1>\n<hr>\n\n", NULL);
+        ap_rvputs(r, "<h1>Menu for ", ap_escape_html(r->pool, r->uri),
+                  "</h1>\n<hr>\n\n", NULL);
     }
 
     return;