cross-site scripting flaw because the Expect header error message isn't
escaped. We couldn't find a way that this could be used by an attacker
however, as they can't influence the Expect header a victim will send to a
target site. Thiago agreed and we're therefore not treating this as a
security flaw, but it is a bug that ought to get fixed. I'll add to
STATUS for 1.3/2.0/2.2 shortly for acks.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@394965
13f79535-47bb-0310-9956-
ffa450edef68
Changes with Apache 2.3.0
[Remove entries to the current 2.0 and 2.2 section below, when backported]
+ *) HTML-escape the Expect error message. Not classed as security as
+ an attacker has no way to influence the Expect header a victim will
+ send to a target site. Reported by Thiago Zaninotti
+ <thiango nstalker.com>. [Mark Cox]
+
*) mod_proxy_balancer: Initialize members of a balancer correctly.
PR 38227. [James A. Robinson <jim.robinson stanford.edu>]
"request-header"
"\nfield could not be met by this server.</p>\n"
"<p>The client sent<pre>\n Expect: ",
- apr_table_get(r->headers_in, "Expect"),
+ ap_escape_html(r->pool, apr_table_get(r->headers_in, "Expect")),
"\n</pre>\n"
"but we only allow the 100-continue "
"expectation.</p>\n",
projects / thirdparty / apache / httpd.git / commitdiff
