mod_negotiation: Escape filenames in variant list

author Rainer Jung <rjung@apache.org>

Fri, 17 Aug 2012 20:17:59 +0000 (20:17 +0000)

committer Rainer Jung <rjung@apache.org>

Fri, 17 Aug 2012 20:17:59 +0000 (20:17 +0000)
author Rainer Jung <rjung@apache.org>
Fri, 17 Aug 2012 20:17:59 +0000 (20:17 +0000)
committer Rainer Jung <rjung@apache.org>
Fri, 17 Aug 2012 20:17:59 +0000 (20:17 +0000)
diff --git a/CHANGES b/CHANGES

index d2d7fce91ce50977d9b28240ba24e035acc49598..fdf2524dfab8d055c540c221a3939c8d69a0084d 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -5,6 +5,11 @@ Changes with Apache 2.2.23
       envvars: Fix insecure handling of LD_LIBRARY_PATH that could lead to the
       current working directory to be searched for DSOs. [Stefan Fritsch]
  
+  *) SECURITY: CVE-2012-2687 (cve.mitre.org)
+     mod_negotiation: Escape filenames in variant list to prevent an
+     possible XSS for a site where untrusted users can upload files to
+     a location with MultiViews enabled. [Niels Heinen <heinenn google.com>]
+
    *) mod_proxy_ajp: Add support for 'ProxyErrorOverride on'. PR 50945.
       [Peter Pramberger <peter pramberger.at>, Jim Jagielski]
  
diff --git a/STATUS b/STATUS

index 41809cc8c13bb3029824f45b31e901641b510254..598bd7cd778d31c5fadf2cdbb09798d95621fb89 100644 (file)
--- a/STATUS
+++ b/STATUS
@@ -93,15 +93,6 @@ RELEASE SHOWSTOPPERS:
  PATCHES ACCEPTED TO BACKPORT FROM TRUNK:
    [ start all new proposals below, under PATCHES PROPOSED. ]
  
-   * mod_negotiation: Escape filenames in variant list to prevent an
-     possible XSS for a site where untrusted users can upload files to a
-     location with MultiViews enabled.
-     SECURITY: CVE-2012-2687 (cve.mitre.org):
-     Submitted by: Niels Heinen <heinenn google.com>
-     trunk patch: http://svn.apache.org/viewvc?view=revision&revision=1349905
-     2.4.x patch: http://svn.apache.org/viewvc?view=revision&revision=1356889
-     2.2.x patch: trunk patch applies
-     +1: rjung, trawick, wrowe
  
  PATCHES PROPOSED TO BACKPORT FROM TRUNK:
    [ New proposals should be added at the end of the list ]
diff --git a/modules/mappers/mod_negotiation.c b/modules/mappers/mod_negotiation.c

index 25e60348b777956a9df99d0d7081abeb3972e593..ef4a72aba938c92e0b735a162a904f925bce094a 100644 (file)
--- a/modules/mappers/mod_negotiation.c
+++ b/modules/mappers/mod_negotiation.c
@@ -2658,9 +2658,9 @@ static char *make_variant_list(request_rec *r, negotiation_state *neg)
           * need to change the calculation of max_vlist_array above.
           */
          *((const char **) apr_array_push(arr)) = "<li><a href=\"";
-        *((const char **) apr_array_push(arr)) = filename;
+        *((const char **) apr_array_push(arr)) = ap_escape_path_segment(r->pool, filename);
          *((const char **) apr_array_push(arr)) = "\">";
-        *((const char **) apr_array_push(arr)) = filename;
+        *((const char **) apr_array_push(arr)) = ap_escape_html(r->pool, filename);
          *((const char **) apr_array_push(arr)) = "</a> ";
          *((const char **) apr_array_push(arr)) = description;
author	Rainer Jung <rjung@apache.org>
	Fri, 17 Aug 2012 20:17:59 +0000 (20:17 +0000)
committer	Rainer Jung <rjung@apache.org>
	Fri, 17 Aug 2012 20:17:59 +0000 (20:17 +0000)
CHANGES		patch \| blob \| blame \| history
STATUS		patch \| blob \| blame \| history
modules/mappers/mod_negotiation.c		patch \| blob \| blame \| history