Merge r603282 from trunk:

Fix CVE-2007-5000:

* modules/mappers/mod_imap.c (menu_header): Fix cross-site-scripting
  issue by escaping the URI, and ensure that a charset parameter is
  sent in the content-type to prevent autodetection by broken browsers.

Reported by: JPCERT
Reviewed by: jorton, rpluem, trawick

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.0.x@603619 13f79535-47bb-0310-9956-ffa450edef68

diff --git a/CHANGES b/CHANGES
index 2e8998fa6d35e71764d9f92edef142a6c5316546..f383f48231b16ca6614b90815d4b15cb46040b97 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -1,6 +1,9 @@
                                                          -*- coding: utf-8 -*-
 Changes with Apache 2.0.62
 
+  *) SECURITY: CVE-2007-5000 (cve.mitre.org)
+     mod_imagemap: Fix a cross-site scripting issue.  Reported by JPCERT.
+     [Joe Orton]  
 
 Changes with Apache 2.0.61
 

diff --git a/modules/mappers/mod_imap.c b/modules/mappers/mod_imap.c
index 0ae82c8baa7141b8bfb2da85bac560d55060bc8f..f7745c650b8667f10706f89e5c77aef69855b862 100644 (file)
--- a/modules/mappers/mod_imap.c
+++ b/modules/mappers/mod_imap.c
@@ -479,13 +479,16 @@ static int imap_reply(request_rec *r, char *redirect)
 
 static void menu_header(request_rec *r, char *menu)
 {
-    ap_set_content_type(r, "text/html");
+    ap_set_content_type(r, "text/html; charset=ISO-8859-1");
 
-    ap_rvputs(r, DOCTYPE_HTML_3_2, "<html><head>\n<title>Menu for ", r->uri,
-           "</title>\n</head><body>\n", NULL);
+    ap_rvputs(r, DOCTYPE_HTML_3_2, "<html><head>\n<title>Menu for ", 
+              ap_escape_html(r->pool, r->uri),
+              "</title>\n</head><body>\n", NULL);
 
     if (!strcasecmp(menu, "formatted")) {
-        ap_rvputs(r, "<h1>Menu for ", r->uri, "</h1>\n<hr />\n\n", NULL);
+        ap_rvputs(r, "<h1>Menu for ", 
+                  ap_escape_html(r->pool, r->uri),
+                  "</h1>\n<hr />\n\n", NULL);
     }
 
     return;