You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@trafficserver.apache.org by "Devaki (JIRA)" <ji...@apache.org> on 2016/01/22 18:03:40 UTC
[jira] [Created] (TS-4145) ATS 6.0.0 - Address cross-site scripting
exploits in error messages
Devaki created TS-4145:
--------------------------
Summary: ATS 6.0.0 - Address cross-site scripting exploits in error messages
Key: TS-4145
URL: https://issues.apache.org/jira/browse/TS-4145
Project: Traffic Server
Issue Type: Bug
Components: Configuration, Parent Proxy
Reporter: Devaki
Address potential cross-site scripting exploits in the following files:
1.) Replace the variable psh with epsh in files:
proxy/config/body_factory/default/redirect#moved_temporarily
proxy/config/body_factory/default/redirect#moved_permanently
2.) Variable cqh in proxy/config/body_factory/default/access#redirect_url should be replaced with ecqh. However the files appears unutilized in ATS6.0.0, hence remove from Makefile alltogether.
Suggested patch:
diff -Nrup trafficserver-6.0.0/proxy/config/body_factory/default/Makefile.am trafficserver-6.0.0-1/proxy/config/body_factory/default/Makefile.am
--- trafficserver-6.0.0/proxy/config/body_factory/default/Makefile.am 2015-09-08 13:43:45.000000000 -0400
+++ trafficserver-6.0.0-1/proxy/config/body_factory/default/Makefile.am 2016-01-19 12:49:44.823719964 -0500
@@ -21,7 +21,6 @@ bodyfactorydir = $(pkgsysconfdir)/body_f
dist_bodyfactory_DATA = \
access\#denied \
access\#proxy_auth_required \
- access\#redirect_url \
access\#ssl_forbidden \
.body_factory_info \
cache\#not_in_cache \
diff -Nrup trafficserver-6.0.0/proxy/config/body_factory/default/redirect#moved_permanently trafficserver-6.0.0-1/proxy/config/body_factory/defau
lt/redirect#moved_permanently
--- trafficserver-6.0.0/proxy/config/body_factory/default/redirect#moved_permanently 2015-09-08 13:43:45.000000000 -0400
+++ trafficserver-6.0.0-1/proxy/config/body_factory/default/redirect#moved_permanently 2016-01-19 12:50:47.669068203 -0500
@@ -8,7 +8,7 @@
<HR>
<FONT FACE="Helvetica,Arial"><B>
-Description: The document you requested has moved to a new location. The new location is "%<{Location}psh>".
+Description: The document you requested has moved to a new location. The new location is "%<{Location}epsh>".
</B></FONT>
<HR>
</BODY>
diff -Nrup trafficserver-6.0.0/proxy/config/body_factory/default/redirect#moved_temporarily trafficserver-6.0.0-1/proxy/config/body_factory/defau
lt/redirect#moved_temporarily
--- trafficserver-6.0.0/proxy/config/body_factory/default/redirect#moved_temporarily 2015-09-08 13:43:45.000000000 -0400
+++ trafficserver-6.0.0-1/proxy/config/body_factory/default/redirect#moved_temporarily 2016-01-19 12:50:33.548765337 -0500
@@ -8,7 +8,7 @@
<HR>
<FONT FACE="Helvetica,Arial"><B>
-Description: The document you requested has moved to a new location. The new location is "%<{Location}psh>".
+Description: The document you requested has moved to a new location. The new location is "%<{Location}epsh>".
</B></FONT>
<HR>
</BODY>
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)