You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@trafficserver.apache.org by "Leif Hedstrom (JIRA)" <ji...@apache.org> on 2016/01/22 20:30:39 UTC
[jira] [Commented] (TS-4145) ATS 6.0.0 - Address cross-site
scripting exploits in error messages
[ https://issues.apache.org/jira/browse/TS-4145?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15112929#comment-15112929 ]
Leif Hedstrom commented on TS-4145:
-----------------------------------
Would you mind producing a github Pull Request with these changes please?
> ATS 6.0.0 - Address cross-site scripting exploits in error messages
> -------------------------------------------------------------------
>
> Key: TS-4145
> URL: https://issues.apache.org/jira/browse/TS-4145
> Project: Traffic Server
> Issue Type: Bug
> Components: Configuration, Parent Proxy
> Reporter: Devaki
> Fix For: 6.2.0
>
>
> Address potential cross-site scripting exploits in the following files:
> 1.) Replace the variable psh with epsh in files:
> proxy/config/body_factory/default/redirect#moved_temporarily
> proxy/config/body_factory/default/redirect#moved_permanently
> 2.) Variable cqh in proxy/config/body_factory/default/access#redirect_url should be replaced with ecqh. However the files appears unutilized in ATS6.0.0, hence remove from Makefile alltogether.
> Suggested patch:
> diff -Nrup trafficserver-6.0.0/proxy/config/body_factory/default/Makefile.am trafficserver-6.0.0-1/proxy/config/body_factory/default/Makefile.am
> --- trafficserver-6.0.0/proxy/config/body_factory/default/Makefile.am 2015-09-08 13:43:45.000000000 -0400
> +++ trafficserver-6.0.0-1/proxy/config/body_factory/default/Makefile.am 2016-01-19 12:49:44.823719964 -0500
> @@ -21,7 +21,6 @@ bodyfactorydir = $(pkgsysconfdir)/body_f
> dist_bodyfactory_DATA = \
> access\#denied \
> access\#proxy_auth_required \
> - access\#redirect_url \
> access\#ssl_forbidden \
> .body_factory_info \
> cache\#not_in_cache \
> diff -Nrup trafficserver-6.0.0/proxy/config/body_factory/default/redirect#moved_permanently trafficserver-6.0.0-1/proxy/config/body_factory/defau
> lt/redirect#moved_permanently
> --- trafficserver-6.0.0/proxy/config/body_factory/default/redirect#moved_permanently 2015-09-08 13:43:45.000000000 -0400
> +++ trafficserver-6.0.0-1/proxy/config/body_factory/default/redirect#moved_permanently 2016-01-19 12:50:47.669068203 -0500
> @@ -8,7 +8,7 @@
> <HR>
>
> <FONT FACE="Helvetica,Arial"><B>
> -Description: The document you requested has moved to a new location. The new location is "%<{Location}psh>".
> +Description: The document you requested has moved to a new location. The new location is "%<{Location}epsh>".
> </B></FONT>
> <HR>
> </BODY>
> diff -Nrup trafficserver-6.0.0/proxy/config/body_factory/default/redirect#moved_temporarily trafficserver-6.0.0-1/proxy/config/body_factory/defau
> lt/redirect#moved_temporarily
> --- trafficserver-6.0.0/proxy/config/body_factory/default/redirect#moved_temporarily 2015-09-08 13:43:45.000000000 -0400
> +++ trafficserver-6.0.0-1/proxy/config/body_factory/default/redirect#moved_temporarily 2016-01-19 12:50:33.548765337 -0500
> @@ -8,7 +8,7 @@
> <HR>
>
> <FONT FACE="Helvetica,Arial"><B>
> -Description: The document you requested has moved to a new location. The new location is "%<{Location}psh>".
> +Description: The document you requested has moved to a new location. The new location is "%<{Location}epsh>".
> </B></FONT>
> <HR>
> </BODY>
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)