You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by sf...@apache.org on 2012/07/03 21:44:23 UTC
svn commit: r1356889 - in /httpd/httpd/branches/2.4.x: ./ CHANGES STATUS
modules/mappers/mod_negotiation.c
Author: sf
Date: Tue Jul 3 19:44:22 2012
New Revision: 1356889
URL: http://svn.apache.org/viewvc?rev=1356889&view=rev
Log:
Merge r1349905:
SECURITY: CVE-2012-2687 (cve.mitre.org):
mod_negotiation: Escape filenames in variant list to prevent an
possible XSS for a site where untrusted users can upload files to a
location with MultiViews enabled.
* modules/mappers/mod_negotiation.c (make_variant_list): Escape
filenames in variant list.
Submitted by: Niels Heinen <heinenn google.com>
Reviewed by: covener, jorton, sf
Modified:
httpd/httpd/branches/2.4.x/ (props changed)
httpd/httpd/branches/2.4.x/CHANGES
httpd/httpd/branches/2.4.x/STATUS
httpd/httpd/branches/2.4.x/modules/mappers/mod_negotiation.c
Propchange: httpd/httpd/branches/2.4.x/
------------------------------------------------------------------------------
Merged /httpd/httpd/trunk:r1349905
Modified: httpd/httpd/branches/2.4.x/CHANGES
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/CHANGES?rev=1356889&r1=1356888&r2=1356889&view=diff
==============================================================================
--- httpd/httpd/branches/2.4.x/CHANGES [utf-8] (original)
+++ httpd/httpd/branches/2.4.x/CHANGES [utf-8] Tue Jul 3 19:44:22 2012
@@ -3,6 +3,11 @@
Changes with Apache 2.4.3
+ *) SECURITY: CVE-2012-2687 (cve.mitre.org)
+ mod_negotiation: Escape filenames in variant list to prevent an
+ possible XSS for a site where untrusted users can upload files to
+ a location with MultiViews enabled. [Niels Heinen <heinenn google.com>]
+
*) htdbm, htpasswd: Don't crash if crypt() fails (e.g. with FIPS enabled).
[Paul Wouters <pwouters redhat.com>, Joe Orton]
Modified: httpd/httpd/branches/2.4.x/STATUS
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/STATUS?rev=1356889&r1=1356888&r2=1356889&view=diff
==============================================================================
--- httpd/httpd/branches/2.4.x/STATUS (original)
+++ httpd/httpd/branches/2.4.x/STATUS Tue Jul 3 19:44:22 2012
@@ -88,11 +88,6 @@ RELEASE SHOWSTOPPERS:
PATCHES ACCEPTED TO BACKPORT FROM TRUNK:
[ start all new proposals below, under PATCHES PROPOSED. ]
- * mod_negotiation: CVE-2012-2687 XSS in mod_negotiation
- trunk patch: http://svn.apache.org/viewvc?view=revision&revision=1349905
- 2.4.x patch: trunk works
- +1: covener, jorton, sf
-
PATCHES PROPOSED TO BACKPORT FROM TRUNK:
[ New proposals should be added at the end of the list ]
Modified: httpd/httpd/branches/2.4.x/modules/mappers/mod_negotiation.c
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/modules/mappers/mod_negotiation.c?rev=1356889&r1=1356888&r2=1356889&view=diff
==============================================================================
--- httpd/httpd/branches/2.4.x/modules/mappers/mod_negotiation.c (original)
+++ httpd/httpd/branches/2.4.x/modules/mappers/mod_negotiation.c Tue Jul 3 19:44:22 2012
@@ -2656,9 +2656,9 @@ static char *make_variant_list(request_r
* need to change the calculation of max_vlist_array above.
*/
*((const char **) apr_array_push(arr)) = "<li><a href=\"";
- *((const char **) apr_array_push(arr)) = filename;
+ *((const char **) apr_array_push(arr)) = ap_escape_path_segment(r->pool, filename);
*((const char **) apr_array_push(arr)) = "\">";
- *((const char **) apr_array_push(arr)) = filename;
+ *((const char **) apr_array_push(arr)) = ap_escape_html(r->pool, filename);
*((const char **) apr_array_push(arr)) = "</a> ";
*((const char **) apr_array_push(arr)) = description;