httpd-cvs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From rpl...@apache.org
Subject svn commit: r608061 - in /httpd/httpd/branches/2.2.x: CHANGES STATUS modules/proxy/mod_proxy_balancer.c
Date Wed, 02 Jan 2008 09:49:06 GMT
Author: rpluem
Date: Wed Jan  2 01:49:04 2008
New Revision: 608061

URL: http://svn.apache.org/viewvc?rev=608061&view=rev
Log:
Merge r607275, r607403 from trunk:

* Correctly escape the worker route and the worker redirect string in the HTML
  output of the balancer manager.

Reported by SecurityReason.

Submitted by: rpluem
Reviewed by: rpluem, niq, wrowe

Modified:
    httpd/httpd/branches/2.2.x/CHANGES
    httpd/httpd/branches/2.2.x/STATUS
    httpd/httpd/branches/2.2.x/modules/proxy/mod_proxy_balancer.c

Modified: httpd/httpd/branches/2.2.x/CHANGES
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.2.x/CHANGES?rev=608061&r1=608060&r2=608061&view=diff
==============================================================================
--- httpd/httpd/branches/2.2.x/CHANGES [utf-8] (original)
+++ httpd/httpd/branches/2.2.x/CHANGES [utf-8] Wed Jan  2 01:49:04 2008
@@ -1,6 +1,11 @@
                                                         -*- coding: utf-8 -*-
 Changes with Apache 2.2.7
 
+  *) SECURITY: CVE-2007-6421 (cve.mitre.org)
+     mod_proxy_balancer: Correctly escape the worker route and the worker
+     redirect string in the HTML output of the balancer manager.
+     Reported by SecurityReason. [Ruediger Pluem]
+
   *) mod_ldap: Try to establish a new backend LDAP connection when the
      Microsoft LDAP client library returns LDAP_UNAVAILABLE, e.g. after the
      LDAP server has closed the connection due to a timeout.

Modified: httpd/httpd/branches/2.2.x/STATUS
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.2.x/STATUS?rev=608061&r1=608060&r2=608061&view=diff
==============================================================================
--- httpd/httpd/branches/2.2.x/STATUS (original)
+++ httpd/httpd/branches/2.2.x/STATUS Wed Jan  2 01:49:04 2008
@@ -107,16 +107,6 @@
 PATCHES ACCEPTED TO BACKPORT FROM TRUNK:
   [ start all new proposals below, under PATCHES PROPOSED. ]
 
-   * mod_proxy_balancer: Correctly escape the worker route and the worker
-     redirect string in the HTML output of the balancer manager.
-     Trunk version of patch:
-        http://svn.apache.org/viewvc?rev=607275&view=rev
-        http://svn.apache.org/viewvc?rev=607403&view=rev (CVE number added
-                                                          to CHANGES entry)
-     Backport version for 2.2.x of patch:
-        Trunk version of patch works
-     +1: rpluem, niq, wrowe
-
 PATCHES PROPOSED TO BACKPORT FROM TRUNK:
   [ New proposals should be added at the end of the list ]
 

Modified: httpd/httpd/branches/2.2.x/modules/proxy/mod_proxy_balancer.c
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.2.x/modules/proxy/mod_proxy_balancer.c?rev=608061&r1=608060&r2=608061&view=diff
==============================================================================
--- httpd/httpd/branches/2.2.x/modules/proxy/mod_proxy_balancer.c (original)
+++ httpd/httpd/branches/2.2.x/modules/proxy/mod_proxy_balancer.c Wed Jan  2 01:49:04 2008
@@ -764,8 +764,10 @@
                           ap_escape_uri(r->pool, worker->name),
                           "\">", NULL);
                 ap_rvputs(r, worker->name, "</a></td>", NULL);
-                ap_rvputs(r, "<td>", worker->s->route, NULL);
-                ap_rvputs(r, "</td><td>", worker->s->redirect, NULL);
+                ap_rvputs(r, "<td>", ap_escape_html(r->pool, worker->s->route),
+                          NULL);
+                ap_rvputs(r, "</td><td>",
+                          ap_escape_html(r->pool, worker->s->redirect), NULL);
                 ap_rprintf(r, "</td><td>%d</td>", worker->s->lbfactor);
                 ap_rprintf(r, "<td>%d</td><td>", worker->s->lbset);
                 if (worker->s->status & PROXY_WORKER_DISABLED)
@@ -803,10 +805,12 @@
             ap_rputs("<tr><td>LB Set:</td><td><input name=\"ls\"
type=text ", r);
             ap_rprintf(r, "value=\"%d\"></td></tr>\n", wsel->s->lbset);
             ap_rputs("<tr><td>Route:</td><td><input name=\"wr\"
type=text ", r);
-            ap_rvputs(r, "value=\"", wsel->s->route, NULL);
+            ap_rvputs(r, "value=\"", ap_escape_html(r->pool, wsel->s->route),
+                      NULL);
             ap_rputs("\"></td></tr>\n", r);
             ap_rputs("<tr><td>Route Redirect:</td><td><input name=\"rr\"
type=text ", r);
-            ap_rvputs(r, "value=\"", wsel->s->redirect, NULL);
+            ap_rvputs(r, "value=\"", ap_escape_html(r->pool, wsel->s->redirect),
+                      NULL);
             ap_rputs("\"></td></tr>\n", r);
             ap_rputs("<tr><td>Status:</td><td>Disabled: <input
name=\"dw\" value=\"Disable\" type=radio", r);
             if (wsel->s->status & PROXY_WORKER_DISABLED)



Mime
View raw message