httpd-cvs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
Subject svn commit: r394965 - in /httpd/httpd/trunk: CHANGES modules/http/http_protocol.c
Date Tue, 18 Apr 2006 15:30:17 GMT
Author: mjc
Date: Tue Apr 18 08:30:13 2006
New Revision: 394965

Thiago Zaninotti reported to on 20060410 a possible
cross-site scripting flaw because the Expect header error message isn't
escaped.  We couldn't find a way that this could be used by an attacker
however, as they can't influence the Expect header a victim will send to a
target site.  Thiago agreed and we're therefore not treating this as a
security flaw, but it is a bug that ought to get fixed.  I'll add to 
STATUS for 1.3/2.0/2.2 shortly for acks.


Modified: httpd/httpd/trunk/CHANGES
--- httpd/httpd/trunk/CHANGES [utf-8] (original)
+++ httpd/httpd/trunk/CHANGES [utf-8] Tue Apr 18 08:30:13 2006
@@ -2,6 +2,11 @@
 Changes with Apache 2.3.0
   [Remove entries to the current 2.0 and 2.2 section below, when backported]
+  *) HTML-escape the Expect error message.  Not classed as security as
+     an attacker has no way to influence the Expect header a victim will
+     send to a target site.  Reported by Thiago Zaninotti
+     <thiango>. [Mark Cox]
   *) mod_proxy_balancer: Initialize members of a balancer correctly.
      PR 38227. [James A. Robinson <jim.robinson>]

Modified: httpd/httpd/trunk/modules/http/http_protocol.c
--- httpd/httpd/trunk/modules/http/http_protocol.c (original)
+++ httpd/httpd/trunk/modules/http/http_protocol.c Tue Apr 18 08:30:13 2006
@@ -996,7 +996,7 @@
                            "\nfield could not be met by this server.</p>\n"
                            "<p>The client sent<pre>\n    Expect: ",
-                           apr_table_get(r->headers_in, "Expect"),
+                           ap_escape_html(r->pool, apr_table_get(r->headers_in, "Expect")),
                            "but we only allow the 100-continue "

View raw message