You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by jo...@apache.org on 2007/12/12 13:36:55 UTC
svn commit: r603597 - in /httpd/httpd/branches/1.3.x/src: CHANGES
modules/standard/mod_imap.c
Author: jorton
Date: Wed Dec 12 04:36:54 2007
New Revision: 603597
URL: http://svn.apache.org/viewvc?rev=603597&view=rev
Log:
Fix CVE-2007-5000:
* src/modules/standard/mod_imap.c (menu_header): Fix cross-site
scripting issue by escaping the URI, and ensure that a charset
parameter is sent in the content-type to prevent autodetection by
broken browsers.
Reported by: JPCERT
Modified:
httpd/httpd/branches/1.3.x/src/CHANGES
httpd/httpd/branches/1.3.x/src/modules/standard/mod_imap.c
Modified: httpd/httpd/branches/1.3.x/src/CHANGES
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/1.3.x/src/CHANGES?rev=603597&r1=603596&r2=603597&view=diff
==============================================================================
--- httpd/httpd/branches/1.3.x/src/CHANGES (original)
+++ httpd/httpd/branches/1.3.x/src/CHANGES Wed Dec 12 04:36:54 2007
@@ -1,5 +1,9 @@
Changes with Apache 1.3.40
+ *) SECURITY: CVE-2007-5000 (cve.mitre.org)
+ mod_imap: Fix cross-site scripting issue. Reported by JPCERT.
+ [Joe Orton]
+
*) SECURITY: CVE-2007-3847 (cve.mitre.org)
mod_proxy: Prevent reading past the end of a buffer when parsing
date-related headers. PR 41144.
Modified: httpd/httpd/branches/1.3.x/src/modules/standard/mod_imap.c
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/1.3.x/src/modules/standard/mod_imap.c?rev=603597&r1=603596&r2=603597&view=diff
==============================================================================
--- httpd/httpd/branches/1.3.x/src/modules/standard/mod_imap.c (original)
+++ httpd/httpd/branches/1.3.x/src/modules/standard/mod_imap.c Wed Dec 12 04:36:54 2007
@@ -463,7 +463,7 @@
static void menu_header(request_rec *r, char *menu)
{
- r->content_type = "text/html";
+ r->content_type = "text/html; charset=ISO-8859-1";
ap_send_http_header(r);
#ifdef CHARSET_EBCDIC
/* Server-generated response, converted */
@@ -471,11 +471,13 @@
#endif
ap_hard_timeout("send menu", r); /* killed in menu_footer */
- ap_rvputs(r, DOCTYPE_HTML_3_2, "<html><head>\n<title>Menu for ", r->uri,
- "</title>\n</head><body>\n", NULL);
+ ap_rvputs(r, DOCTYPE_HTML_3_2, "<html><head>\n<title>Menu for ",
+ ap_escape_html(r->pool, r->uri),
+ "</title>\n</head><body>\n", NULL);
if (!strcasecmp(menu, "formatted")) {
- ap_rvputs(r, "<h1>Menu for ", r->uri, "</h1>\n<hr>\n\n", NULL);
+ ap_rvputs(r, "<h1>Menu for ", ap_escape_html(r->pool, r->uri),
+ "</h1>\n<hr>\n\n", NULL);
}
return;