httpd-cvs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From rpl...@apache.org
Subject svn commit: r608068 - in /httpd/httpd/branches/2.0.x: CHANGES STATUS modules/generators/mod_status.c
Date Wed, 02 Jan 2008 10:01:13 GMT
Author: rpluem
Date: Wed Jan  2 02:01:11 2008
New Revision: 608068

URL: http://svn.apache.org/viewvc?rev=608068&view=rev
Log:
Merge r607282 from trunk:

* Ensure refresh parameter is numeric to prevent a possible XSS attack caused
  by redirecting to other URLs. Reported by SecurityReason.

Submitted by: Mark Cox, Joe Orton
Reviewed by: rpluem, fuankg, wrowe

Modified:
    httpd/httpd/branches/2.0.x/CHANGES
    httpd/httpd/branches/2.0.x/STATUS
    httpd/httpd/branches/2.0.x/modules/generators/mod_status.c

Modified: httpd/httpd/branches/2.0.x/CHANGES
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.0.x/CHANGES?rev=608068&r1=608067&r2=608068&view=diff
==============================================================================
--- httpd/httpd/branches/2.0.x/CHANGES [utf-8] (original)
+++ httpd/httpd/branches/2.0.x/CHANGES [utf-8] Wed Jan  2 02:01:11 2008
@@ -1,6 +1,11 @@
                                                          -*- coding: utf-8 -*-
 Changes with Apache 2.0.62
 
+  *) SECURITY: CVE-2007-6388 (cve.mitre.org)
+     mod_status: Ensure refresh parameter is numeric to prevent
+     a possible XSS attack caused by redirecting to other URLs. 
+     Reported by SecurityReason.  [Mark Cox, Joe Orton]
+
   *) SECURITY: CVE-2007-5000 (cve.mitre.org)
      mod_imagemap: Fix a cross-site scripting issue.  Reported by JPCERT.
      [Joe Orton]

Modified: httpd/httpd/branches/2.0.x/STATUS
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.0.x/STATUS?rev=608068&r1=608067&r2=608068&view=diff
==============================================================================
--- httpd/httpd/branches/2.0.x/STATUS (original)
+++ httpd/httpd/branches/2.0.x/STATUS Wed Jan  2 02:01:11 2008
@@ -126,15 +126,6 @@
 PATCHES ACCEPTED TO BACKPORT FROM TRUNK:
   [ start all new proposals below, under PATCHES PROPOSED. ]
 
- * mod_status: Ensure refresh parameter is numeric to prevent a possible XSS
-   attack caused by redirecting to other URLs.
-    Trunk version of patch:
-       http://svn.apache.org/viewvc?rev=607282&view=rev
-    Backport version for 2.0.x of patch:
-       http://awe.com/e8f6ad05238f8/CVE-2007-6388-httpd-2.x.patch
-    +1: rpluem, fuankg, wrowe
-    wrowe is +1 for having that default to a value of 10 instead of 1 @ln# 307
-
 PATCHES PROPOSED TO BACKPORT FROM TRUNK:
   [ please place SVN revisions from trunk here, so it is easy to
     identify exactly what the proposed changes are!  Add all new

Modified: httpd/httpd/branches/2.0.x/modules/generators/mod_status.c
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.0.x/modules/generators/mod_status.c?rev=608068&r1=608067&r2=608068&view=diff
==============================================================================
--- httpd/httpd/branches/2.0.x/modules/generators/mod_status.c (original)
+++ httpd/httpd/branches/2.0.x/modules/generators/mod_status.c Wed Jan  2 02:01:11 2008
@@ -71,6 +71,7 @@
 #endif
 #define APR_WANT_STRFUNC
 #include "apr_want.h"
+#include "apr_strings.h"
 
 #ifdef NEXT
 #if (NX_CURRENT_COMPILER_RELEASE == 410)
@@ -281,19 +282,18 @@
             if ((loc = ap_strstr_c(r->args,
                                    status_options[i].form_data_str)) != NULL) {
                 switch (status_options[i].id) {
-                case STAT_OPT_REFRESH:
-                    if (*(loc + strlen(status_options[i].form_data_str)) == '='
-                        && atol(loc + strlen(status_options[i].form_data_str)
-                                + 1) > 0)
-                        apr_table_set(r->headers_out,
-                                      status_options[i].hdr_out_str,
-                                      loc + 
-                                      strlen(status_options[i].hdr_out_str) +
-                                      1);
-                    else
-                        apr_table_set(r->headers_out,
-                                      status_options[i].hdr_out_str, "1");
+                case STAT_OPT_REFRESH: {
+                    apr_size_t len = strlen(status_options[i].form_data_str);
+                    long t = 0;
+
+                    if (*(loc + len ) == '=') {
+                        t = atol(loc + len + 1);
+                    }
+                    apr_table_set(r->headers_out,
+                                  status_options[i].hdr_out_str,
+                                  apr_ltoa(r->pool, t < 1 ? 10 : t));
                     break;
+                }
                 case STAT_OPT_NOTABLE:
                     no_table_report = 1;
                     break;



Mime
View raw message