]> git.ipfire.org Git - thirdparty/apache/httpd.git/commitdiff
projects / thirdparty / apache / httpd.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: a3fcf44)
Fix CVE-2007-5000:
authorJoe Orton <jorton@apache.org>
Wed, 12 Dec 2007 12:36:54 +0000 (12:36 +0000)
committerJoe Orton <jorton@apache.org>
Wed, 12 Dec 2007 12:36:54 +0000 (12:36 +0000)
* src/modules/standard/mod_imap.c (menu_header): Fix cross-site
  scripting issue by escaping the URI, and ensure that a charset
  parameter is sent in the content-type to prevent autodetection by
  broken browsers.

Reported by: JPCERT

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/1.3.x@603597 13f79535-47bb-0310-9956-ffa450edef68

src/CHANGES patch | blob | blame | history
src/modules/standard/mod_imap.c patch | blob | blame | history

diff --git a/src/CHANGES b/src/CHANGES
index 5d8f71509d00641cf8e41d6cee9cc0180ac7c089..876990db1cd19372b705de21596137beddf3fad5 100644 (file)
--- a/src/CHANGES
+++ b/src/CHANGES
@@ -1,5 +1,9 @@
 Changes with Apache 1.3.40
 
+  *) SECURITY: CVE-2007-5000 (cve.mitre.org)
+     mod_imap: Fix cross-site scripting issue.  Reported by JPCERT.
+    [Joe Orton]
+
   *) SECURITY: CVE-2007-3847 (cve.mitre.org)
      mod_proxy: Prevent reading past the end of a buffer when parsing
      date-related headers.  PR 41144.
diff --git a/src/modules/standard/mod_imap.c b/src/modules/standard/mod_imap.c
index fc9e1b455e834ec4a259e0e015d29ae5844d46fe..ff2d2848e12041de93524acbaa67a73c5975521d 100644 (file)
--- a/src/modules/standard/mod_imap.c
+++ b/src/modules/standard/mod_imap.c
@@ -463,7 +463,7 @@ static int imap_reply(request_rec *r, char *redirect)
 
 static void menu_header(request_rec *r, char *menu)
 {
-    r->content_type = "text/html";
+    r->content_type = "text/html; charset=ISO-8859-1";
     ap_send_http_header(r);
 #ifdef CHARSET_EBCDIC
     /* Server-generated response, converted */
@@ -471,11 +471,13 @@ static void menu_header(request_rec *r, char *menu)
 #endif
     ap_hard_timeout("send menu", r);       /* killed in menu_footer */
 
-    ap_rvputs(r, DOCTYPE_HTML_3_2, "<html><head>\n<title>Menu for ", r->uri,
-           "</title>\n</head><body>\n", NULL);
+    ap_rvputs(r, DOCTYPE_HTML_3_2, "<html><head>\n<title>Menu for ", 
+              ap_escape_html(r->pool, r->uri),
+              "</title>\n</head><body>\n", NULL);
 
     if (!strcasecmp(menu, "formatted")) {
-        ap_rvputs(r, "<h1>Menu for ", r->uri, "</h1>\n<hr>\n\n", NULL);
+        ap_rvputs(r, "<h1>Menu for ", ap_escape_html(r->pool, r->uri),
+                  "</h1>\n<hr>\n\n", NULL);
     }
 
     return;
Mirror of https://github.com/apache/httpd.git