Merge r682868 from trunk:

* Prevent XSS attacks when using wildcards in the path of the FTP URL.
  Discovered by Marc Bevand of Rapid7.

CVE: CVE-2008-2939
Submitted by: rpluem
Reviewed by: rpluem, mjc, jim, jorton

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.0.x@682871 13f79535-47bb-0310-9956-ffa450edef68

diff --git a/CHANGES b/CHANGES
index fa17f8d4afce162a2f755484c35805e9b1098a02..cb171e8d4ca9eb156bd60f1cb9a6e30c3dbb1a85 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -1,6 +1,9 @@
                                                          -*- coding: utf-8 -*-
 Changes with Apache 2.0.64
 
+  *) SECURITY: CVE-2008-2939 (cve.mitre.org)
+     mod_proxy_ftp: Prevent XSS attacks when using wildcards in the path of
+     the FTP URL. Discovered by Marc Bevand of Rapid7. [Ruediger Pluem]
 
 Changes with Apache 2.0.63
 

diff --git a/modules/proxy/proxy_ftp.c b/modules/proxy/proxy_ftp.c
index 3cf6d31fbb5129f9969955d925b8c66a0a4b4ade..3053c44748b9f9fa3f2a2668484d4ba95be42bd4 100644 (file)
--- a/modules/proxy/proxy_ftp.c
+++ b/modules/proxy/proxy_ftp.c
@@ -382,6 +382,7 @@ apr_status_t ap_proxy_send_dir_filter(ap_filter_t *f, apr_bucket_brigade *in)
                                                            c->bucket_alloc));
         }
         if (wildcard != NULL) {
+            wildcard = ap_escape_html(p, wildcard);
             APR_BRIGADE_INSERT_TAIL(out, apr_bucket_pool_create(wildcard,
                                                            strlen(wildcard), p,
                                                            c->bucket_alloc));