You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by mj...@apache.org on 2006/04/18 17:30:17 UTC

svn commit: r394965 - in /httpd/httpd/trunk: CHANGES modules/http/http_protocol.c

Author: mjc
Date: Tue Apr 18 08:30:13 2006
New Revision: 394965

URL: http://svn.apache.org/viewcvs?rev=394965&view=rev
Log:
Thiago Zaninotti reported to security@apache.org on 20060410 a possible
cross-site scripting flaw because the Expect header error message isn't
escaped.  We couldn't find a way that this could be used by an attacker
however, as they can't influence the Expect header a victim will send to a
target site.  Thiago agreed and we're therefore not treating this as a
security flaw, but it is a bug that ought to get fixed.  I'll add to 
STATUS for 1.3/2.0/2.2 shortly for acks.

Modified:
    httpd/httpd/trunk/CHANGES
    httpd/httpd/trunk/modules/http/http_protocol.c

Modified: httpd/httpd/trunk/CHANGES
URL: http://svn.apache.org/viewcvs/httpd/httpd/trunk/CHANGES?rev=394965&r1=394964&r2=394965&view=diff
==============================================================================
--- httpd/httpd/trunk/CHANGES [utf-8] (original)
+++ httpd/httpd/trunk/CHANGES [utf-8] Tue Apr 18 08:30:13 2006
@@ -2,6 +2,11 @@
 Changes with Apache 2.3.0
   [Remove entries to the current 2.0 and 2.2 section below, when backported]
 
+  *) HTML-escape the Expect error message.  Not classed as security as
+     an attacker has no way to influence the Expect header a victim will
+     send to a target site.  Reported by Thiago Zaninotti
+     <thiango nstalker.com>. [Mark Cox]
+
   *) mod_proxy_balancer: Initialize members of a balancer correctly.
      PR 38227. [James A. Robinson <jim.robinson stanford.edu>]
 

Modified: httpd/httpd/trunk/modules/http/http_protocol.c
URL: http://svn.apache.org/viewcvs/httpd/httpd/trunk/modules/http/http_protocol.c?rev=394965&r1=394964&r2=394965&view=diff
==============================================================================
--- httpd/httpd/trunk/modules/http/http_protocol.c (original)
+++ httpd/httpd/trunk/modules/http/http_protocol.c Tue Apr 18 08:30:13 2006
@@ -996,7 +996,7 @@
                            "request-header"
                            "\nfield could not be met by this server.</p>\n"
                            "<p>The client sent<pre>\n    Expect: ",
-                           apr_table_get(r->headers_in, "Expect"),
+                           ap_escape_html(r->pool, apr_table_get(r->headers_in, "Expect")),
                            "\n</pre>\n"
                            "but we only allow the 100-continue "
                            "expectation.</p>\n",