httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Jeff Trawick" <traw...@gmail.com>
Subject Re: [PATCH] CVE-2006-5752 for 1.3.x
Date Tue, 24 Jul 2007 13:25:45 GMT
On 7/20/07, Jeff Trawick <trawick@gmail.com> wrote:
> On 7/20/07, Sander Temme <sctemme@apache.org> wrote:
> >
> > On Jul 20, 2007, at 7:30 AM, Jeff Trawick wrote:
> >
> > > Index: src/modules/standard/mod_status.c
> >
> > +1, it's the same stuff we did for 2.2 in r549159.
> >
> > What about the ap_escape_logitem stuff in that same commit, does that
> > apply to 1.3?

unidiotified patch attached
(indentation looks slightly off due to use of tabs in original code)

browser appearance of ExtendedStatus section w/o ap_escape_logitem():

GET /cgi-bin/sleep.pl/fooýüûúùø÷ö HTTP/1.1

with:

GET /cgi-bin/sleep.pl/foo\xfd\xfc\xfb\xfa\xf9\xf8\xf7\xf6 HTTP/1.1

Mime
View raw message