You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by wr...@apache.org on 2007/12/12 20:38:27 UTC
svn commit: r603711 - in /httpd/httpd/branches/2.2.x: CHANGES STATUS
modules/mappers/mod_imagemap.c
Author: wrowe
Date: Wed Dec 12 11:38:26 2007
New Revision: 603711
URL: http://svn.apache.org/viewvc?rev=603711&view=rev
Log:
Fix CVE-2007-5000:
* modules/mappers/mod_imagemap.c (menu_header): Fix
cross-site-scripting issue by escaping the URI, and ensure that a
charset parameter is sent in the content-type to prevent
autodetection by broken browsers.
Reported by: JPCERT
Backports: r603282
Submitted by: jorton
Reviewed by: rpluem, trawick, wrowe
Modified:
httpd/httpd/branches/2.2.x/CHANGES
httpd/httpd/branches/2.2.x/STATUS
httpd/httpd/branches/2.2.x/modules/mappers/mod_imagemap.c
Modified: httpd/httpd/branches/2.2.x/CHANGES
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.2.x/CHANGES?rev=603711&r1=603710&r2=603711&view=diff
==============================================================================
--- httpd/httpd/branches/2.2.x/CHANGES [utf-8] (original)
+++ httpd/httpd/branches/2.2.x/CHANGES [utf-8] Wed Dec 12 11:38:26 2007
@@ -1,6 +1,10 @@
-*- coding: utf-8 -*-
Changes with Apache 2.2.7
+ *) SECURITY: CVE-2007-5000 (cve.mitre.org)
+ mod_imagemap: Fix a cross-site scripting issue. Reported by JPCERT.
+ [Joe Orton]
+
*) core: Fix broken chunk filtering that causes all non blocking reads to be
converted into blocking reads. PR 19954, 41056.
[Jean-Frederic Clere, Jim Jagielski]
Modified: httpd/httpd/branches/2.2.x/STATUS
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.2.x/STATUS?rev=603711&r1=603710&r2=603711&view=diff
==============================================================================
--- httpd/httpd/branches/2.2.x/STATUS (original)
+++ httpd/httpd/branches/2.2.x/STATUS Wed Dec 12 11:38:26 2007
@@ -85,13 +85,6 @@
2.2.x version of the patch works
+1 mturk, fuankg, rpluem
- * SECURITY: mod_imagemap: fix XSS issue (CVE-2007-2500)
- Trunk version of patch:
- http://svn.apache.org/viewvc?rev=603282&view=rev
- Backport version for 2.2.x of patch:
- Trunk version of patch works (will add CHANGES entry too)
- +1: jorton, rpluem, trawick
-
PATCHES PROPOSED TO BACKPORT FROM TRUNK:
[ New proposals should be added at the end of the list ]
Modified: httpd/httpd/branches/2.2.x/modules/mappers/mod_imagemap.c
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.2.x/modules/mappers/mod_imagemap.c?rev=603711&r1=603710&r2=603711&view=diff
==============================================================================
--- httpd/httpd/branches/2.2.x/modules/mappers/mod_imagemap.c (original)
+++ httpd/httpd/branches/2.2.x/modules/mappers/mod_imagemap.c Wed Dec 12 11:38:26 2007
@@ -479,13 +479,16 @@
static void menu_header(request_rec *r, char *menu)
{
- ap_set_content_type(r, "text/html");
+ ap_set_content_type(r, "text/html; charset=ISO-8859-1");
- ap_rvputs(r, DOCTYPE_HTML_3_2, "<html><head>\n<title>Menu for ", r->uri,
- "</title>\n</head><body>\n", NULL);
+ ap_rvputs(r, DOCTYPE_HTML_3_2, "<html><head>\n<title>Menu for ",
+ ap_escape_html(r->pool, r->uri),
+ "</title>\n</head><body>\n", NULL);
if (!strcasecmp(menu, "formatted")) {
- ap_rvputs(r, "<h1>Menu for ", r->uri, "</h1>\n<hr />\n\n", NULL);
+ ap_rvputs(r, "<h1>Menu for ",
+ ap_escape_html(r->pool, r->uri),
+ "</h1>\n<hr />\n\n", NULL);
}
return;