You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@trafficserver.apache.org by "Leif Hedstrom (JIRA)" <ji...@apache.org> on 2016/01/22 20:30:39 UTC

[jira] [Updated] (TS-4145) ATS 6.0.0 - Address cross-site scripting exploits in error messages

     [ https://issues.apache.org/jira/browse/TS-4145?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Leif Hedstrom updated TS-4145:
------------------------------
    Fix Version/s: 6.2.0

> ATS 6.0.0 - Address cross-site scripting exploits in error messages
> -------------------------------------------------------------------
>
>                 Key: TS-4145
>                 URL: https://issues.apache.org/jira/browse/TS-4145
>             Project: Traffic Server
>          Issue Type: Bug
>          Components: Configuration, Parent Proxy
>            Reporter: Devaki
>             Fix For: 6.2.0
>
>
> Address potential cross-site scripting exploits in the following files:
> 1.)    Replace the variable psh with epsh in files:
> proxy/config/body_factory/default/redirect#moved_temporarily
> proxy/config/body_factory/default/redirect#moved_permanently
> 2.)    Variable cqh in proxy/config/body_factory/default/access#redirect_url should be replaced with ecqh. However the files appears unutilized in ATS6.0.0, hence remove from Makefile alltogether. 
> Suggested patch:
> diff -Nrup trafficserver-6.0.0/proxy/config/body_factory/default/Makefile.am trafficserver-6.0.0-1/proxy/config/body_factory/default/Makefile.am
> --- trafficserver-6.0.0/proxy/config/body_factory/default/Makefile.am	2015-09-08 13:43:45.000000000 -0400
> +++ trafficserver-6.0.0-1/proxy/config/body_factory/default/Makefile.am	2016-01-19 12:49:44.823719964 -0500
> @@ -21,7 +21,6 @@ bodyfactorydir = $(pkgsysconfdir)/body_f
>  dist_bodyfactory_DATA = \
>    access\#denied \
>    access\#proxy_auth_required \
> -  access\#redirect_url \
>    access\#ssl_forbidden \
>    .body_factory_info \
>    cache\#not_in_cache \
> diff -Nrup trafficserver-6.0.0/proxy/config/body_factory/default/redirect#moved_permanently trafficserver-6.0.0-1/proxy/config/body_factory/defau
> lt/redirect#moved_permanently
> --- trafficserver-6.0.0/proxy/config/body_factory/default/redirect#moved_permanently	2015-09-08 13:43:45.000000000 -0400
> +++ trafficserver-6.0.0-1/proxy/config/body_factory/default/redirect#moved_permanently	2016-01-19 12:50:47.669068203 -0500
> @@ -8,7 +8,7 @@
>  <HR>
>  
>  <FONT FACE="Helvetica,Arial"><B>
> -Description: The document you requested has moved to a new location.  The new location is "%<{Location}psh>".
> +Description: The document you requested has moved to a new location.  The new location is "%<{Location}epsh>".
>  </B></FONT>
>  <HR>
>  </BODY>
> diff -Nrup trafficserver-6.0.0/proxy/config/body_factory/default/redirect#moved_temporarily trafficserver-6.0.0-1/proxy/config/body_factory/defau
> lt/redirect#moved_temporarily
> --- trafficserver-6.0.0/proxy/config/body_factory/default/redirect#moved_temporarily	2015-09-08 13:43:45.000000000 -0400
> +++ trafficserver-6.0.0-1/proxy/config/body_factory/default/redirect#moved_temporarily	2016-01-19 12:50:33.548765337 -0500
> @@ -8,7 +8,7 @@
>  <HR>
>  
>  <FONT FACE="Helvetica,Arial"><B>
> -Description: The document you requested has moved to a new location.  The new location is "%<{Location}psh>".
> +Description: The document you requested has moved to a new location.  The new location is "%<{Location}epsh>".
>  </B></FONT>
>  <HR>
>  </BODY>



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)