You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by mj...@apache.org on 2006/04/19 10:33:22 UTC

svn commit: r395173 - in /httpd/httpd/branches/2.2.x: CHANGES STATUS modules/http/http_protocol.c

Author: mjc
Date: Wed Apr 19 01:33:19 2006
New Revision: 395173

URL: http://svn.apache.org/viewcvs?rev=395173&view=rev
Log:
http_protocol: Fix escaping of Expect error message
+1: mjc, trawick, rpluem, jim

Modified:
    httpd/httpd/branches/2.2.x/CHANGES
    httpd/httpd/branches/2.2.x/STATUS
    httpd/httpd/branches/2.2.x/modules/http/http_protocol.c

Modified: httpd/httpd/branches/2.2.x/CHANGES
URL: http://svn.apache.org/viewcvs/httpd/httpd/branches/2.2.x/CHANGES?rev=395173&r1=395172&r2=395173&view=diff
==============================================================================
--- httpd/httpd/branches/2.2.x/CHANGES [utf-8] (original)
+++ httpd/httpd/branches/2.2.x/CHANGES [utf-8] Wed Apr 19 01:33:19 2006
@@ -1,6 +1,11 @@
                                                         -*- coding: utf-8 -*-
 Changes with Apache 2.2.2
 
+  *) HTML-escape the Expect error message.  Not classed as security as
+     an attacker has no way to influence the Expect header a victim will
+     send to a target site.  Reported by Thiago Zaninotti
+     <thiango nstalker.com>. [Mark Cox]
+
   *) htdbm: Warn the user when adding a plaintext password on a platform
      where it wouldn't work with the server (i.e., anywhere that has
      crypt()).  [Jeff Trawick]

Modified: httpd/httpd/branches/2.2.x/STATUS
URL: http://svn.apache.org/viewcvs/httpd/httpd/branches/2.2.x/STATUS?rev=395173&r1=395172&r2=395173&view=diff
==============================================================================
--- httpd/httpd/branches/2.2.x/STATUS (original)
+++ httpd/httpd/branches/2.2.x/STATUS Wed Apr 19 01:33:19 2006
@@ -71,13 +71,6 @@
 
 RELEASE SHOWSTOPPERS:
 
-    * http_protocol: Fix escaping of Expect error message
-        Trunk version of patch:
-          http://svn.apache.org/viewcvs?rev=394965&view=rev
-        2.2.x version of patch:
-          Trunk version with changed offsets
-       +1: mjc, trawick, rpluem, jim
-
 
 PATCHES ACCEPTED TO BACKPORT FROM TRUNK:
   [ start all new proposals below, under PATCHES PROPOSED. ]

Modified: httpd/httpd/branches/2.2.x/modules/http/http_protocol.c
URL: http://svn.apache.org/viewcvs/httpd/httpd/branches/2.2.x/modules/http/http_protocol.c?rev=395173&r1=395172&r2=395173&view=diff
==============================================================================
--- httpd/httpd/branches/2.2.x/modules/http/http_protocol.c (original)
+++ httpd/httpd/branches/2.2.x/modules/http/http_protocol.c Wed Apr 19 01:33:19 2006
@@ -996,7 +996,7 @@
                            "request-header"
                            "\nfield could not be met by this server.</p>\n"
                            "<p>The client sent<pre>\n    Expect: ",
-                           apr_table_get(r->headers_in, "Expect"),
+                           ap_escape_html(r->pool, apr_table_get(r->headers_in, "Expect")),
                            "\n</pre>\n"
                            "but we only allow the 100-continue "
                            "expectation.</p>\n",