RELEASE SHOWSTOPPERS:
- *) http_protocol: Fix escaping of Expect error message
- http://svn.apache.org/viewcvs?rev=394965&view=rev
- http://people.redhat.com/mjc/20060411-expect-apache13.patch
- +1: mjc, trawick, wrowe
-
-
PROPOSED PATCHES FOR THIS RELEASE:
*) mod_rewrite on Win32: change the mutex mechanism for RewriteLog
Changes with Apache 1.3.35
+ *) HTML-escape the Expect error message. Not classed as security as
+ an attacker has no way to influence the Expect header a victim will
+ send to a target site. Reported by Thiago Zaninotti
+ <thiango nstalker.com>. [Mark Cox]
+
*) SECURITY: CVE-2005-3352 (cve.mitre.org)
mod_imap: Escape untrusted referer header before outputting in HTML
to avoid potential cross-site scripting. Change also made to
ap_rvputs(r, "The expectation given in the Expect request-header"
"\nfield could not be met by this server.<P>\n"
"The client sent<PRE>\n Expect: ",
- ap_table_get(r->headers_in, "Expect"), "\n</PRE>\n"
+ ap_escape_html(r->pool, ap_table_get(r->headers_in, "Expect")), "\n</PRE>\n"
"but we only allow the 100-continue expectation.\n",
NULL);
break;
projects / thirdparty / apache / httpd.git / commitdiff
