You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by mj...@apache.org on 2006/04/18 17:30:17 UTC
svn commit: r394965 - in /httpd/httpd/trunk: CHANGES
modules/http/http_protocol.c
Author: mjc
Date: Tue Apr 18 08:30:13 2006
New Revision: 394965
URL: http://svn.apache.org/viewcvs?rev=394965&view=rev
Log:
Thiago Zaninotti reported to security@apache.org on 20060410 a possible
cross-site scripting flaw because the Expect header error message isn't
escaped. We couldn't find a way that this could be used by an attacker
however, as they can't influence the Expect header a victim will send to a
target site. Thiago agreed and we're therefore not treating this as a
security flaw, but it is a bug that ought to get fixed. I'll add to
STATUS for 1.3/2.0/2.2 shortly for acks.
Modified:
httpd/httpd/trunk/CHANGES
httpd/httpd/trunk/modules/http/http_protocol.c
Modified: httpd/httpd/trunk/CHANGES
URL: http://svn.apache.org/viewcvs/httpd/httpd/trunk/CHANGES?rev=394965&r1=394964&r2=394965&view=diff
==============================================================================
--- httpd/httpd/trunk/CHANGES [utf-8] (original)
+++ httpd/httpd/trunk/CHANGES [utf-8] Tue Apr 18 08:30:13 2006
@@ -2,6 +2,11 @@
Changes with Apache 2.3.0
[Remove entries to the current 2.0 and 2.2 section below, when backported]
+ *) HTML-escape the Expect error message. Not classed as security as
+ an attacker has no way to influence the Expect header a victim will
+ send to a target site. Reported by Thiago Zaninotti
+ <thiango nstalker.com>. [Mark Cox]
+
*) mod_proxy_balancer: Initialize members of a balancer correctly.
PR 38227. [James A. Robinson <jim.robinson stanford.edu>]
Modified: httpd/httpd/trunk/modules/http/http_protocol.c
URL: http://svn.apache.org/viewcvs/httpd/httpd/trunk/modules/http/http_protocol.c?rev=394965&r1=394964&r2=394965&view=diff
==============================================================================
--- httpd/httpd/trunk/modules/http/http_protocol.c (original)
+++ httpd/httpd/trunk/modules/http/http_protocol.c Tue Apr 18 08:30:13 2006
@@ -996,7 +996,7 @@
"request-header"
"\nfield could not be met by this server.</p>\n"
"<p>The client sent<pre>\n Expect: ",
- apr_table_get(r->headers_in, "Expect"),
+ ap_escape_html(r->pool, apr_table_get(r->headers_in, "Expect")),
"\n</pre>\n"
"but we only allow the 100-continue "
"expectation.</p>\n",