You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by rj...@apache.org on 2012/08/17 22:17:59 UTC
svn commit: r1374421 - in /httpd/httpd/branches/2.2.x: ./ CHANGES STATUS
modules/mappers/mod_negotiation.c
Author: rjung
Date: Fri Aug 17 20:17:59 2012
New Revision: 1374421
URL: http://svn.apache.org/viewvc?rev=1374421&view=rev
Log:
mod_negotiation: Escape filenames in variant list
to prevent an possible XSS for a site where untrusted
users can upload files to a location with MultiViews
enabled.
SECURITY: CVE-2012-2687 (cve.mitre.org):
Submitted by: Niels Heinen <heinenn google.com>
Reviewed by: trawick, wrowe
Backported by: rjung
Modified:
httpd/httpd/branches/2.2.x/ (props changed)
httpd/httpd/branches/2.2.x/CHANGES
httpd/httpd/branches/2.2.x/STATUS
httpd/httpd/branches/2.2.x/modules/mappers/mod_negotiation.c
Propchange: httpd/httpd/branches/2.2.x/
------------------------------------------------------------------------------
Merged /httpd/httpd/trunk:r1349905
Modified: httpd/httpd/branches/2.2.x/CHANGES
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.2.x/CHANGES?rev=1374421&r1=1374420&r2=1374421&view=diff
==============================================================================
--- httpd/httpd/branches/2.2.x/CHANGES [utf-8] (original)
+++ httpd/httpd/branches/2.2.x/CHANGES [utf-8] Fri Aug 17 20:17:59 2012
@@ -5,6 +5,11 @@ Changes with Apache 2.2.23
envvars: Fix insecure handling of LD_LIBRARY_PATH that could lead to the
current working directory to be searched for DSOs. [Stefan Fritsch]
+ *) SECURITY: CVE-2012-2687 (cve.mitre.org)
+ mod_negotiation: Escape filenames in variant list to prevent an
+ possible XSS for a site where untrusted users can upload files to
+ a location with MultiViews enabled. [Niels Heinen <heinenn google.com>]
+
*) mod_proxy_ajp: Add support for 'ProxyErrorOverride on'. PR 50945.
[Peter Pramberger <peter pramberger.at>, Jim Jagielski]
Modified: httpd/httpd/branches/2.2.x/STATUS
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.2.x/STATUS?rev=1374421&r1=1374420&r2=1374421&view=diff
==============================================================================
--- httpd/httpd/branches/2.2.x/STATUS (original)
+++ httpd/httpd/branches/2.2.x/STATUS Fri Aug 17 20:17:59 2012
@@ -93,15 +93,6 @@ RELEASE SHOWSTOPPERS:
PATCHES ACCEPTED TO BACKPORT FROM TRUNK:
[ start all new proposals below, under PATCHES PROPOSED. ]
- * mod_negotiation: Escape filenames in variant list to prevent an
- possible XSS for a site where untrusted users can upload files to a
- location with MultiViews enabled.
- SECURITY: CVE-2012-2687 (cve.mitre.org):
- Submitted by: Niels Heinen <heinenn google.com>
- trunk patch: http://svn.apache.org/viewvc?view=revision&revision=1349905
- 2.4.x patch: http://svn.apache.org/viewvc?view=revision&revision=1356889
- 2.2.x patch: trunk patch applies
- +1: rjung, trawick, wrowe
PATCHES PROPOSED TO BACKPORT FROM TRUNK:
[ New proposals should be added at the end of the list ]
Modified: httpd/httpd/branches/2.2.x/modules/mappers/mod_negotiation.c
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.2.x/modules/mappers/mod_negotiation.c?rev=1374421&r1=1374420&r2=1374421&view=diff
==============================================================================
--- httpd/httpd/branches/2.2.x/modules/mappers/mod_negotiation.c (original)
+++ httpd/httpd/branches/2.2.x/modules/mappers/mod_negotiation.c Fri Aug 17 20:17:59 2012
@@ -2658,9 +2658,9 @@ static char *make_variant_list(request_r
* need to change the calculation of max_vlist_array above.
*/
*((const char **) apr_array_push(arr)) = "<li><a href=\"";
- *((const char **) apr_array_push(arr)) = filename;
+ *((const char **) apr_array_push(arr)) = ap_escape_path_segment(r->pool, filename);
*((const char **) apr_array_push(arr)) = "\">";
- *((const char **) apr_array_push(arr)) = filename;
+ *((const char **) apr_array_push(arr)) = ap_escape_html(r->pool, filename);
*((const char **) apr_array_push(arr)) = "</a> ";
*((const char **) apr_array_push(arr)) = description;