httpd-docs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Erik Abele <e...@codefaktor.de>
Subject Possible css vulnerability part II
Date Sun, 25 Aug 2002 14:00:44 GMT

After looking a second time in the code I realized that all calls to 
ap_log_rerror with the APLOG_TOCLIENT state are properly escaped in 
server/log.c. Therefore it should be safe to use 
apr_filename_of_pathname(r->filename) unescaped in the mentioned places:

> #### Possible places for css vulnerabilities
> ####
> #### I'm quite not sure, if r->method and apr_filename_of_pathname(r->filename)
> #### are safe to use unescaped in these places, but I'm sure that it is not
> #### safe to use apr_table_get(r->headers_in, "Expect") unescaped!
> 
> #### modules/generators/mod_cgi.c line 470 & mod_cgid.c line 650:
> #### apr_filename_of_pathname(r->filename) not escaped
> 
>             rc = ap_os_create_privileged_process(r, procnew, argv0, argv, 
>                                                  (const char * const *)env, 
>                                                  procattr, ptrans);
> 
>             if (rc != APR_SUCCESS) {
>                 /* Bad things happened. Everyone should have cleaned up. */
>                 ap_log_rerror(APLOG_MARK, APLOG_ERR|APLOG_TOCLIENT, rc, r,
>                               "couldn't create child process: %d: %s", rc, 
>                               apr_filename_of_pathname(r->filename));
>             }
> 
> #### server/util_script.c line 457:
> #### apr_filename_of_pathname(r->filename) not escaped
> 
> 	if ((*getsfunc) (w, MAX_STRING_LEN - 1, getsfunc_data) == 0) {
> 	    ap_log_rerror(APLOG_MARK, APLOG_ERR|APLOG_TOCLIENT, 0, r,
> 			  "Premature end of script headers: %s", 
>                           apr_filename_of_pathname(r->filename));
> 	    return HTTP_INTERNAL_SERVER_ERROR;
> 	}
> 
> #### server/util_script.c line 551:
> #### apr_filename_of_pathname(r->filename) not escaped
> 
> 	    ap_log_rerror(APLOG_MARK, APLOG_ERR|APLOG_TOCLIENT, 0, r,
> 			  "%s: %s", malformed, 
>                           apr_filename_of_pathname(r->filename));
> 	    return HTTP_INTERNAL_SERVER_ERROR;
>
Erik


---------------------------------------------------------------------
To unsubscribe, e-mail: docs-unsubscribe@httpd.apache.org
For additional commands, e-mail: docs-help@httpd.apache.org


Mime
View raw message