httpd-bugs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bugzi...@apache.org
Subject DO NOT REPLY [Bug 38910] New: - mod_autoindex prints unescaped filenames
Date Thu, 09 Mar 2006 16:42:37 GMT
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG·
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=38910>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND·
INSERTED IN THE BUG DATABASE.

http://issues.apache.org/bugzilla/show_bug.cgi?id=38910

           Summary: mod_autoindex prints unescaped filenames
           Product: Apache httpd-2
           Version: 2.2.0
          Platform: All
        OS/Version: All
            Status: NEW
          Severity: minor
          Priority: P2
         Component: mod_autoindex
        AssignedTo: bugs@httpd.apache.org
        ReportedBy: rmg@terc.edu


In the default configuration of Apache httpd-2.2.0, filenames printed by
mod_autoindex are not properly html-escaped. This can inject arbitrary html
directly in the autoindex output, potentially making it unusable for navigation
purposes. For example:

[build, install, and run httpd-2.2.0]
cd $PREFIX/htdocs
mkdir foo
touch "foo/<body onload=alert(1)>"
[visit /foo/ in a browser (tested with Firefox)]
[an alert dialog appears]

Earlier versions of Apache httpd do contain this bug, but are not affected in
their default configurations. The difference is that versions prior to 2.2.0
have "IndexOptions FancyIndexing" enabled in the default httpd.conf, so a
different code path is used to display the filenames.

Here's a patch against 2.2.0 (and probably applicable to earlier versions) which
adds the necessary escaping to the displayed filename in non-fancy, non-table
autoindex output. I'll include it inline because I don't see how to attach a
file in Bugzilla.

--- httpd-2.2.0/modules/generators/mod_autoindex.c.orig	Thu Nov 10 09:20:05 2005
+++ httpd-2.2.0/modules/generators/mod_autoindex.c	Thu Mar  9 02:42:54 2006
@@ -1819,8 +1819,9 @@
             ap_rputc('\n', r);
         }
         else {
-            ap_rvputs(r, "<li><a href=\"", anchor, "\"> ", t2,
-                         "</a></li>\n", NULL);
+            ap_rvputs(r, "<li><a href=\"", anchor, "\"> ",
+                      ap_escape_html(scratch, t2),
+                      "</a></li>\n", NULL);
         }
     }
     if (autoindex_opts & TABLE_INDEXING) {

-- 
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org


Mime
View raw message