You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by mj...@apache.org on 2006/04/19 10:28:07 UTC

svn commit: r395171 - in /httpd/httpd/branches/1.3.x: STATUS src/CHANGES src/main/http_protocol.c

Author: mjc
Date: Wed Apr 19 01:28:04 2006
New Revision: 395171

URL: http://svn.apache.org/viewcvs?rev=395171&view=rev
Log:
Fix escaping of Expect error message
http://svn.apache.org/viewcvs?rev=394965&view=rev
+1: mjc, trawick, wrowe

Modified:
    httpd/httpd/branches/1.3.x/STATUS
    httpd/httpd/branches/1.3.x/src/CHANGES
    httpd/httpd/branches/1.3.x/src/main/http_protocol.c

Modified: httpd/httpd/branches/1.3.x/STATUS
URL: http://svn.apache.org/viewcvs/httpd/httpd/branches/1.3.x/STATUS?rev=395171&r1=395170&r2=395171&view=diff
==============================================================================
--- httpd/httpd/branches/1.3.x/STATUS (original)
+++ httpd/httpd/branches/1.3.x/STATUS Wed Apr 19 01:28:04 2006
@@ -51,12 +51,6 @@
 
 RELEASE SHOWSTOPPERS:
 
-   *) http_protocol: Fix escaping of Expect error message
-      http://svn.apache.org/viewcvs?rev=394965&view=rev
-      http://people.redhat.com/mjc/20060411-expect-apache13.patch
-      +1: mjc, trawick, wrowe
-
-
 PROPOSED PATCHES FOR THIS RELEASE:
 
    *) mod_rewrite on Win32: change the mutex mechanism for RewriteLog

Modified: httpd/httpd/branches/1.3.x/src/CHANGES
URL: http://svn.apache.org/viewcvs/httpd/httpd/branches/1.3.x/src/CHANGES?rev=395171&r1=395170&r2=395171&view=diff
==============================================================================
--- httpd/httpd/branches/1.3.x/src/CHANGES (original)
+++ httpd/httpd/branches/1.3.x/src/CHANGES Wed Apr 19 01:28:04 2006
@@ -1,5 +1,10 @@
 Changes with Apache 1.3.35
 
+  *) HTML-escape the Expect error message.  Not classed as security as
+     an attacker has no way to influence the Expect header a victim will
+     send to a target site.  Reported by Thiago Zaninotti 
+     <thiango nstalker.com>. [Mark Cox]
+
   *) SECURITY: CVE-2005-3352 (cve.mitre.org)
      mod_imap: Escape untrusted referer header before outputting in HTML
      to avoid potential cross-site scripting.  Change also made to

Modified: httpd/httpd/branches/1.3.x/src/main/http_protocol.c
URL: http://svn.apache.org/viewcvs/httpd/httpd/branches/1.3.x/src/main/http_protocol.c?rev=395171&r1=395170&r2=395171&view=diff
==============================================================================
--- httpd/httpd/branches/1.3.x/src/main/http_protocol.c (original)
+++ httpd/httpd/branches/1.3.x/src/main/http_protocol.c Wed Apr 19 01:28:04 2006
@@ -3137,7 +3137,7 @@
 	    ap_rvputs(r, "The expectation given in the Expect request-header"
 	              "\nfield could not be met by this server.<P>\n"
 	              "The client sent<PRE>\n    Expect: ",
-	              ap_table_get(r->headers_in, "Expect"), "\n</PRE>\n"
+	              ap_escape_html(r->pool, ap_table_get(r->headers_in, "Expect")), "\n</PRE>\n"
 	              "but we only allow the 100-continue expectation.\n",
 	              NULL);
 	    break;