Return-Path: 
 <cvs-return-43803-apmail-httpd-cvs-archive=httpd.apache.org@httpd.apache.org>
X-Original-To: apmail-httpd-cvs-archive@www.apache.org
Delivered-To: apmail-httpd-cvs-archive@www.apache.org
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
	by minotaur.apache.org (Postfix) with SMTP id 836929232
	for <apmail-httpd-cvs-archive@www.apache.org>;
 Tue,  3 Jul 2012 19:44:46 +0000 (UTC)
Received: (qmail 1319 invoked by uid 500); 3 Jul 2012 19:44:46 -0000
Delivered-To: apmail-httpd-cvs-archive@httpd.apache.org
Received: (qmail 1274 invoked by uid 500); 3 Jul 2012 19:44:46 -0000
Mailing-List: contact cvs-help@httpd.apache.org; run by ezmlm
Precedence: bulk
Reply-To: dev@httpd.apache.org
list-help: <mailto:cvs-help@httpd.apache.org>
list-unsubscribe: <mailto:cvs-unsubscribe@httpd.apache.org>
List-Post: <mailto:cvs@httpd.apache.org>
List-Id: <cvs.httpd.apache.org>
Delivered-To: mailing list cvs@httpd.apache.org
Received: (qmail 1267 invoked by uid 99); 3 Jul 2012 19:44:46 -0000
Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136)
    by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 03 Jul 2012 19:44:46 +0000
X-ASF-Spam-Status: No, hits=-2000.0 required=5.0
	tests=ALL_TRUSTED
X-Spam-Check-By: apache.org
Received: from [140.211.11.4] (HELO eris.apache.org) (140.211.11.4)
    by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 03 Jul 2012 19:44:45 +0000
Received: from eris.apache.org (localhost [127.0.0.1])
	by eris.apache.org (Postfix) with ESMTP id E108223889E7;
	Tue,  3 Jul 2012 19:44:24 +0000 (UTC)
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Subject: svn commit: r1356889 - in /httpd/httpd/branches/2.4.x: ./ CHANGES
 STATUS
 modules/mappers/mod_negotiation.c
Date: Tue, 03 Jul 2012 19:44:23 -0000
To: cvs@httpd.apache.org
From: sf@apache.org
X-Mailer: svnmailer-1.0.8-patched
Message-Id: <20120703194424.E108223889E7@eris.apache.org>
X-Virus-Checked: Checked by ClamAV on apache.org

Author: sf
Date: Tue Jul  3 19:44:22 2012
New Revision: 1356889

URL: http://svn.apache.org/viewvc?rev=1356889&view=rev
Log:
Merge r1349905:
    SECURITY: CVE-2012-2687 (cve.mitre.org):

    mod_negotiation: Escape filenames in variant list to prevent an
    possible XSS for a site where untrusted users can upload files to a
    location with MultiViews enabled.

    * modules/mappers/mod_negotiation.c (make_variant_list): Escape
      filenames in variant list.

    Submitted by: Niels Heinen <heinenn google.com>

Reviewed by: covener, jorton, sf

Modified:
    httpd/httpd/branches/2.4.x/   (props changed)
    httpd/httpd/branches/2.4.x/CHANGES
    httpd/httpd/branches/2.4.x/STATUS
    httpd/httpd/branches/2.4.x/modules/mappers/mod_negotiation.c

Propchange: httpd/httpd/branches/2.4.x/
------------------------------------------------------------------------------
  Merged /httpd/httpd/trunk:r1349905

Modified: httpd/httpd/branches/2.4.x/CHANGES
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/CHANGES?rev=1356889&r1=1356888&r2=1356889&view=diff
==============================================================================
--- httpd/httpd/branches/2.4.x/CHANGES [utf-8] (original)
+++ httpd/httpd/branches/2.4.x/CHANGES [utf-8] Tue Jul  3 19:44:22 2012
@@ -3,6 +3,11 @@
 
 Changes with Apache 2.4.3
 
+  *) SECURITY: CVE-2012-2687 (cve.mitre.org)
+     mod_negotiation: Escape filenames in variant list to prevent an
+     possible XSS for a site where untrusted users can upload files to
+     a location with MultiViews enabled. [Niels Heinen <heinenn google.com>]
+
   *) htdbm, htpasswd: Don't crash if crypt() fails (e.g. with FIPS enabled). 
      [Paul Wouters <pwouters redhat.com>, Joe Orton]
 

Modified: httpd/httpd/branches/2.4.x/STATUS
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/STATUS?rev=1356889&r1=1356888&r2=1356889&view=diff
==============================================================================
--- httpd/httpd/branches/2.4.x/STATUS (original)
+++ httpd/httpd/branches/2.4.x/STATUS Tue Jul  3 19:44:22 2012
@@ -88,11 +88,6 @@ RELEASE SHOWSTOPPERS:
 PATCHES ACCEPTED TO BACKPORT FROM TRUNK:
   [ start all new proposals below, under PATCHES PROPOSED. ]
 
-  * mod_negotiation: CVE-2012-2687 XSS in mod_negotiation
-    trunk patch: http://svn.apache.org/viewvc?view=revision&revision=1349905
-    2.4.x patch: trunk works
-    +1: covener, jorton, sf
-
 
 PATCHES PROPOSED TO BACKPORT FROM TRUNK:
   [ New proposals should be added at the end of the list ]

Modified: httpd/httpd/branches/2.4.x/modules/mappers/mod_negotiation.c
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/modules/mappers/mod_negotiation.c?rev=1356889&r1=1356888&r2=1356889&view=diff
==============================================================================
--- httpd/httpd/branches/2.4.x/modules/mappers/mod_negotiation.c (original)
+++ httpd/httpd/branches/2.4.x/modules/mappers/mod_negotiation.c Tue Jul  3 19:44:22 2012
@@ -2656,9 +2656,9 @@ static char *make_variant_list(request_r
          * need to change the calculation of max_vlist_array above.
          */
         *((const char **) apr_array_push(arr)) = "<li><a href=\"";
-        *((const char **) apr_array_push(arr)) = filename;
+        *((const char **) apr_array_push(arr)) = ap_escape_path_segment(r->pool, filename);
         *((const char **) apr_array_push(arr)) = "\">";
-        *((const char **) apr_array_push(arr)) = filename;
+        *((const char **) apr_array_push(arr)) = ap_escape_html(r->pool, filename);
         *((const char **) apr_array_push(arr)) = "</a> ";
         *((const char **) apr_array_push(arr)) = description;