- various mods: host and URI escaping:

  Be sure to escape potential troubled strings,
  add missing html escaping
- const fixes for mod_imagemap

Submitted by: jim, sf, covener
Backported by: rjung
Reviewed by: rpluem, wrowe

Backport of r1413732, r1418752, r1416889, r1422234 and r1422253
from trunk resp. r1418941 and r1425750 from 2.4.x.

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.2.x@1447390 13f79535-47bb-0310-9956-ffa450edef68

diff --git a/CHANGES b/CHANGES
index ca458741358276fd7afc487af1f2c1d25ff243f1..cca5491a66a7bf4096bbd4d610e74d8e708a89e1 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -1,6 +1,10 @@
                                                          -*- coding: utf-8 -*-
 Changes with Apache 2.2.24
 
+  *) mod_status, mod_info, mod_proxy_ftp, mod_proxy_balancer, mod_imagemap,
+     mod_ldap: Improve escaping of hostname and URIs HTML output.
+     [Jim Jagielski, Stefan Fritsch]
+
   *) mod_ssl: Send the error message for speaking http to an https port using
      HTTP/1.0 instead of HTTP/0.9, and omit the link that may be wrong when
      using SNI. PR 50823. [Stefan Fritsch]

diff --git a/STATUS b/STATUS
index cb16f9e022b369852cd8189c77ebfbe145ea8730..f4b9a986da0dd270a7b782bbe9effef6bccb9200 100644 (file)
--- a/STATUS
+++ b/STATUS
@@ -94,18 +94,6 @@ RELEASE SHOWSTOPPERS:
 PATCHES ACCEPTED TO BACKPORT FROM TRUNK:
   [ start all new proposals below, under PATCHES PROPOSED. ]
 
-   * various mods: host and URI escaping. Includes needed constification
-     fix for mod_imagemap.
-     trunk patch: http://svn.apache.org/viewvc?view=revision&revision=1413732
-                  http://svn.apache.org/viewvc?view=revision&revision=1418752
-                  http://svn.apache.org/viewvc?view=revision&revision=1416889
-                  http://svn.apache.org/viewvc?view=revision&revision=1422234
-                  http://svn.apache.org/viewvc?view=revision&revision=1422253
-     2.4.x patch: http://svn.apache.org/viewvc?view=revision&revision=1418941
-                  http://svn.apache.org/viewvc?view=revision&revision=1425750
-     2.2.x patch: http://people.apache.org/~rjung/patches/host-and-uri-escaping-2_2.patch
-     +1: rjung, rpluem, wrowe
-
 PATCHES PROPOSED TO BACKPORT FROM TRUNK:
   [ New proposals should be added at the end of the list ]
 

diff --git a/modules/generators/mod_info.c b/modules/generators/mod_info.c
index 297953fd0a2c763c598526d6730c745b0a73cc64..d924f20a05a3574f01bc15803dc6e13b663ca221 100644 (file)
--- a/modules/generators/mod_info.c
+++ b/modules/generators/mod_info.c
@@ -371,7 +371,8 @@ static int show_server_settings(request_rec * r)
                MODULE_MAGIC_NUMBER_MINOR);
     ap_rprintf(r,
                "<dt><strong>Hostname/port:</strong> "
-               "<tt>%s:%u</tt></dt>\n", ap_get_server_name(r),
+               "<tt>%s:%u</tt></dt>\n",
+               ap_escape_html(r->pool, ap_get_server_name(r)),
                ap_get_server_port(r));
     ap_rprintf(r,
                "<dt><strong>Timeouts:</strong> "

diff --git a/modules/generators/mod_status.c b/modules/generators/mod_status.c
index bcf9b10c4ac63c6534b0df6e0168e2a507cd3a9b..1c64d6e2509cf6fe0bfefabe3ead2a9cfaf53482 100644 (file)
--- a/modules/generators/mod_status.c
+++ b/modules/generators/mod_status.c
@@ -409,7 +409,8 @@ static int status_handler(request_rec *r)
                  "<html><head>\n<title>Apache Status</title>\n</head><body>\n",
                  r);
         ap_rputs("<h1>Apache Server Status for ", r);
-        ap_rvputs(r, ap_get_server_name(r), "</h1>\n\n", NULL);
+        ap_rvputs(r, ap_escape_html(r->pool, ap_get_server_name(r)),
+                  "</h1>\n\n", NULL);
         ap_rvputs(r, "<dl><dt>Server Version: ",
                   ap_get_server_description(), "</dt>\n", NULL);
         ap_rvputs(r, "<dt>Server Built: ",

diff --git a/modules/ldap/util_ldap_cache_mgr.c b/modules/ldap/util_ldap_cache_mgr.c
index b0283715948ca7580fbaf2be9c987c8e084c9859..4d71606289c5f9095d83f0e154a1214cd17b7a0f 100644 (file)
--- a/modules/ldap/util_ldap_cache_mgr.c
+++ b/modules/ldap/util_ldap_cache_mgr.c
@@ -541,7 +541,7 @@ char *util_ald_cache_display_stats(request_rec *r, util_ald_cache_t *cache, char
     if (id) {
         buf2 = apr_psprintf(p,
                  "<a href=\"%s?%s\">%s</a>",
-             r->uri,
+             ap_escape_html(r->pool, ap_escape_uri(r->pool, r->uri)),
              id,
              name);
     }

diff --git a/modules/mappers/mod_imagemap.c b/modules/mappers/mod_imagemap.c
index f6741d35b4ed01f74392edc8f5d609835815e229..4f365fb7b90288587d09d5eefae1f488b3311b6e 100644 (file)
--- a/modules/mappers/mod_imagemap.c
+++ b/modules/mappers/mod_imagemap.c
@@ -320,7 +320,7 @@ static void read_quoted(char **string, char **quoted_part)
 /*
  * returns the mapped URL or NULL.
  */
-static char *imap_url(request_rec *r, const char *base, const char *value)
+static const char *imap_url(request_rec *r, const char *base, const char *value)
 {
 /* translates a value into a URL. */
     int slen, clen;
@@ -342,7 +342,7 @@ static char *imap_url(request_rec *r, const char *base, const char *value)
     if (!strcasecmp(value, "referer")) {
         referer = apr_table_get(r->headers_in, "Referer");
         if (referer && *referer) {
-            return ap_escape_html(r->pool, referer);
+            return referer;
         }
         else {
             /* XXX:  This used to do *value = '\0'; ... which is totally bogus
@@ -459,7 +459,7 @@ static char *imap_url(request_rec *r, const char *base, const char *value)
     return my_base;
 }
 
-static int imap_reply(request_rec *r, char *redirect)
+static int imap_reply(request_rec *r, const char *redirect)
 {
     if (!strcasecmp(redirect, "error")) {
         /* they actually requested an error! */
@@ -523,42 +523,52 @@ static void menu_comment(request_rec *r, char *menu, char *comment)
                                    'formatted' form */
 }
 
-static void menu_default(request_rec *r, char *menu, char *href, char *text)
+static void menu_default(request_rec *r, const char *menu, const char *href, const char *text)
 {
+    char *ehref, *etext;
     if (!strcasecmp(href, "error") || !strcasecmp(href, "nocontent")) {
         return;                 /* don't print such lines, these aren't
                                    really href's */
     }
+
+    ehref = ap_escape_uri(r->pool, href);
+    etext = ap_escape_html(r->pool, text);
+
     if (!strcasecmp(menu, "formatted")) {
-        ap_rvputs(r, "<pre>(Default) <a href=\"", href, "\">", text,
+        ap_rvputs(r, "<pre>(Default) <a href=\"", ehref, "\">", etext,
                "</a></pre>\n", NULL);
     }
     if (!strcasecmp(menu, "semiformatted")) {
-        ap_rvputs(r, "<pre>(Default) <a href=\"", href, "\">", text,
+        ap_rvputs(r, "<pre>(Default) <a href=\"", ehref, "\">", etext,
                "</a></pre>\n", NULL);
     }
     if (!strcasecmp(menu, "unformatted")) {
-        ap_rvputs(r, "<a href=\"", href, "\">", text, "</a>", NULL);
+        ap_rvputs(r, "<a href=\"", ehref, "\">", etext, "</a>", NULL);
     }
     return;
 }
 
-static void menu_directive(request_rec *r, char *menu, char *href, char *text)
+static void menu_directive(request_rec *r, const char *menu, const char *href, const char *text)
 {
+    char *ehref, *etext;
     if (!strcasecmp(href, "error") || !strcasecmp(href, "nocontent")) {
         return;                 /* don't print such lines, as this isn't
                                    really an href */
     }
+
+    ehref = ap_escape_uri(r->pool, href);
+    etext = ap_escape_html(r->pool, text);
+
     if (!strcasecmp(menu, "formatted")) {
-        ap_rvputs(r, "<pre>          <a href=\"", href, "\">", text,
+        ap_rvputs(r, "<pre>          <a href=\"", ehref, "\">", etext,
                "</a></pre>\n", NULL);
     }
     if (!strcasecmp(menu, "semiformatted")) {
-        ap_rvputs(r, "<pre>          <a href=\"", href, "\">", text,
+        ap_rvputs(r, "<pre>          <a href=\"", ehref, "\">", etext,
                "</a></pre>\n", NULL);
     }
     if (!strcasecmp(menu, "unformatted")) {
-        ap_rvputs(r, "<a href=\"", href, "\">", text, "</a>", NULL);
+        ap_rvputs(r, "<a href=\"", ehref, "\">", etext, "</a>", NULL);
     }
     return;
 }
@@ -574,9 +584,9 @@ static int imap_handler_internal(request_rec *r)
     char *directive;
     char *value;
     char *href_text;
-    char *base;
-    char *redirect;
-    char *mapdflt;
+    const char *base;
+    const char *redirect;
+    const char *mapdflt;
     char *closest = NULL;
     double closest_yet = -1;
     apr_status_t status;

diff --git a/modules/proxy/mod_proxy_balancer.c b/modules/proxy/mod_proxy_balancer.c
index 325fdb21196744efbe659dbced3feea08d94aad6..cc0400666134bcaf2c0f627eb06edc854cd6855d 100644 (file)
--- a/modules/proxy/mod_proxy_balancer.c
+++ b/modules/proxy/mod_proxy_balancer.c
@@ -829,7 +829,8 @@ static int balancer_handler(request_rec *r)
         ap_rputs(DOCTYPE_HTML_3_2
                  "<html><head><title>Balancer Manager</title></head>\n", r);
         ap_rputs("<body><h1>Load Balancer Manager for ", r);
-        ap_rvputs(r, ap_get_server_name(r), "</h1>\n\n", NULL);
+        ap_rvputs(r, ap_escape_html(r->pool, ap_get_server_name(r)),
+                  "</h1>\n\n", NULL);
         ap_rvputs(r, "<dl><dt>Server Version: ",
                   ap_get_server_description(), "</dt>\n", NULL);
         ap_rvputs(r, "<dt>Server Built: ",
@@ -864,7 +865,8 @@ static int balancer_handler(request_rec *r)
             worker = (proxy_worker *)balancer->workers->elts;
             for (n = 0; n < balancer->workers->nelts; n++) {
                 char fbuf[50];
-                ap_rvputs(r, "<tr>\n<td><a href=\"", r->uri, "?b=",
+                ap_rvputs(r, "<tr>\n<td><a href=\"",
+                          ap_escape_uri(r->pool, r->uri), "?b=",
                           balancer->name + sizeof("balancer://") - 1, "&w=",
                           ap_escape_uri(r->pool, worker->name),
                           "&nonce=", balancer_nonce, 
@@ -905,7 +907,7 @@ static int balancer_handler(request_rec *r)
             ap_rputs("<h3>Edit worker settings for ", r);
             ap_rvputs(r, wsel->name, "</h3>\n", NULL);
             ap_rvputs(r, "<form method=\"GET\" action=\"", NULL);
-            ap_rvputs(r, r->uri, "\">\n<dl>", NULL);
+            ap_rvputs(r, ap_escape_uri(r->pool, r->uri), "\">\n<dl>", NULL);
             ap_rputs("<table><tr><td>Load factor:</td><td><input name=\"lf\" type=text ", r);
             ap_rprintf(r, "value=\"%d\"></td></tr>\n", wsel->s->lbfactor);
             ap_rputs("<tr><td>LB Set:</td><td><input name=\"ls\" type=text ", r);

diff --git a/modules/proxy/mod_proxy_ftp.c b/modules/proxy/mod_proxy_ftp.c
index 924ac31017848295354b0c0921dd2e5ce69a593f..489f5ea7b2f9360ae26a5bfdc9aef80e76818bae 100644 (file)
--- a/modules/proxy/mod_proxy_ftp.c
+++ b/modules/proxy/mod_proxy_ftp.c
@@ -365,7 +365,9 @@ static apr_status_t proxy_send_dir_filter(ap_filter_t *f,
                 " </head>\n"
                 " <body>\n  <h2>Directory of "
                 "<a href=\"/\">%s</a>/%s",
-                site, basedir, escpath, site, basedir, escpath, site, str);
+                ap_escape_html(p, site), basedir, escpath,
+                ap_escape_uri(p, site), basedir, escpath,
+                ap_escape_uri(p, site), str);
 
         APR_BRIGADE_INSERT_TAIL(out, apr_bucket_pool_create(str, strlen(str),
                                                           p, c->bucket_alloc));