httpd-cvs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From scte...@apache.org
Subject svn commit: r609486 - in /httpd/httpd/branches/1.3.x: STATUS src/CHANGES src/modules/standard/mod_status.c
Date Mon, 07 Jan 2008 02:31:12 GMT
Author: sctemme
Date: Sun Jan  6 18:31:11 2008
New Revision: 609486

URL: http://svn.apache.org/viewvc?rev=609486&view=rev
Log:
Backport mod_status refresh parameter sanizitins patch

Modified:
    httpd/httpd/branches/1.3.x/STATUS
    httpd/httpd/branches/1.3.x/src/CHANGES
    httpd/httpd/branches/1.3.x/src/modules/standard/mod_status.c

Modified: httpd/httpd/branches/1.3.x/STATUS
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/1.3.x/STATUS?rev=609486&r1=609485&r2=609486&view=diff
==============================================================================
--- httpd/httpd/branches/1.3.x/STATUS (original)
+++ httpd/httpd/branches/1.3.x/STATUS Sun Jan  6 18:31:11 2008
@@ -56,16 +56,6 @@
 
 RELEASE SHOWSTOPPERS:
 
-   *) SECURITY: CVE-2007-6388 (cve.mitre.org)
-      mod_status: Ensure refresh parameter is numeric to prevent
-      a possible XSS attack caused by redirecting to other URLs.
-      Reported by SecurityReason.  [Mark Cox]
-      Trunk version of patch: 
-        http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/generators/mod_status.c?r1=590641&r2=607873
-      1.3 version of patch attached to: 
-        http://mail-archives.apache.org/mod_mbox/httpd-dev/200801.mbox/%3c47813C93.4020507@apache.org%3e
-      +1: sctemme (with fuankg's change of default refresh time to 10 seconds in r607873),
rpluem (as well +1 to secs), fuankg
-
 PROPOSED PATCHES FOR THIS RELEASE:
 
    *) mod_rewrite on Win32: change the mutex mechanism for RewriteLog

Modified: httpd/httpd/branches/1.3.x/src/CHANGES
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/1.3.x/src/CHANGES?rev=609486&r1=609485&r2=609486&view=diff
==============================================================================
--- httpd/httpd/branches/1.3.x/src/CHANGES (original)
+++ httpd/httpd/branches/1.3.x/src/CHANGES Sun Jan  6 18:31:11 2008
@@ -1,5 +1,9 @@
 Changes with Apache 1.3.41
 
+  *) SECURITY: CVE-2007-6388 (cve.mitre.org)
+     mod_status: Ensure refresh parameter is numeric to prevent
+     a possible XSS attack caused by redirecting to other URLs.
+     Reported by SecurityReason.  [Mark Cox]
 
 Changes with Apache 1.3.40
 

Modified: httpd/httpd/branches/1.3.x/src/modules/standard/mod_status.c
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/1.3.x/src/modules/standard/mod_status.c?rev=609486&r1=609485&r2=609486&view=diff
==============================================================================
--- httpd/httpd/branches/1.3.x/src/modules/standard/mod_status.c (original)
+++ httpd/httpd/branches/1.3.x/src/modules/standard/mod_status.c Sun Jan  6 18:31:11 2008
@@ -232,17 +232,15 @@
 	while (status_options[i].id != STAT_OPT_END) {
 	    if ((loc = strstr(r->args, status_options[i].form_data_str)) != NULL) {
 		switch (status_options[i].id) {
-		case STAT_OPT_REFRESH:
-		    if (*(loc + strlen(status_options[i].form_data_str)) == '='
-                        && atol(loc + strlen(status_options[i].form_data_str) 
-                                    + 1) > 0)
-			ap_table_set(r->headers_out,
-			      status_options[i].hdr_out_str,
-			      loc + strlen(status_options[i].hdr_out_str) + 1);
-		    else
-			ap_table_set(r->headers_out,
-			      status_options[i].hdr_out_str, "1");
-		    break;
+                case STAT_OPT_REFRESH: {
+                    long refreshtime = 0;
+                    if (*(loc + strlen(status_options[i].form_data_str)) == '=')
+                        refreshtime = atol(loc + strlen(status_options[i].form_data_str)+1);
+                    ap_table_set(r->headers_out,
+                                 status_options[i].hdr_out_str,
+                                 ap_psprintf(r->pool,"%ld",(refreshtime<1)?10:refreshtime));
+                    break;
+                }
 		case STAT_OPT_NOTABLE:
 		    no_table_report = 1;
 		    break;



Mime
View raw message