Merge r607282 from trunk:

* Ensure refresh parameter is numeric to prevent a possible XSS attack caused
  by redirecting to other URLs. Reported by SecurityReason.

Submitted by: Mark Cox, Joe Orton
Reviewed by: rpluem, wrowe, jorton

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.2.x@607408 13f79535-47bb-0310-9956-ffa450edef68

diff --git a/CHANGES b/CHANGES
index aa043e13a2f78a52530d1751074dacd918be8fdb..e98515cb435dad83c8f89c91b413e706b43a0911 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -1,9 +1,14 @@
                                                         -*- coding: utf-8 -*-
 Changes with Apache 2.2.7
 
+  *) SECURITY: CVE-2007-6388 (cve.mitre.org)
+     mod_status: Ensure refresh parameter is numeric to prevent
+     a possible XSS attack caused by redirecting to other URLs.
+     Reported by SecurityReason.  [Mark Cox, Joe Orton]
+
   *) SECURITY: CVE-2007-5000 (cve.mitre.org)
      mod_imagemap: Fix a cross-site scripting issue.  Reported by JPCERT.
-     [Joe Orton]  
+     [Joe Orton]
 
   *) http_protocol: Escape request method in 405 error reporting.
      This has no security impact since the browser cannot be tricked

diff --git a/STATUS b/STATUS
index d9832ad4ed2191e9e10003b22591dd3d04c40aa3..1a1c4761ba947b2e67d736a02547cfc2b064f3c5 100644 (file)
--- a/STATUS
+++ b/STATUS
@@ -112,14 +112,6 @@ RELEASE SHOWSTOPPERS:
 PATCHES ACCEPTED TO BACKPORT FROM TRUNK:
   [ start all new proposals below, under PATCHES PROPOSED. ]
 
-   * mod_status: Ensure refresh parameter is numeric to prevent a possible XSS
-     attack caused by redirecting to other URLs.
-      Trunk version of patch:
-         http://svn.apache.org/viewvc?rev=607282&view=rev
-      Backport version for 2.0.x of patch:
-         http://awe.com/e8f6ad05238f8/CVE-2007-6388-httpd-2.x.patch
-      +1: rpluem, wrowe, jorton
-
 PATCHES PROPOSED TO BACKPORT FROM TRUNK:
   [ New proposals should be added at the end of the list ]
 

diff --git a/modules/generators/mod_status.c b/modules/generators/mod_status.c
index 99287e09f75d66203d8165db99c4a28e54858340..691dd075c1f93f76ed7e411ec873af536afeefb1 100644 (file)
--- a/modules/generators/mod_status.c
+++ b/modules/generators/mod_status.c
@@ -71,6 +71,7 @@
 #endif
 #define APR_WANT_STRFUNC
 #include "apr_want.h"
+#include "apr_strings.h"
 
 #ifdef NEXT
 #if (NX_CURRENT_COMPILER_RELEASE == 410)
@@ -296,19 +297,18 @@ static int status_handler(request_rec *r)
             if ((loc = ap_strstr_c(r->args,
                                    status_options[i].form_data_str)) != NULL) {
                 switch (status_options[i].id) {
-                case STAT_OPT_REFRESH:
-                    if (*(loc + strlen(status_options[i].form_data_str)) == '='
-                        && atol(loc + strlen(status_options[i].form_data_str)
-                                + 1) > 0)
-                        apr_table_set(r->headers_out,
-                                      status_options[i].hdr_out_str,
-                                      loc +
-                                      strlen(status_options[i].hdr_out_str) +
-                                      1);
-                    else
-                        apr_table_set(r->headers_out,
-                                      status_options[i].hdr_out_str, "1");
+                case STAT_OPT_REFRESH: {
+                    apr_size_t len = strlen(status_options[i].form_data_str);
+                    long t = 0;
+
+                    if (*(loc + len ) == '=') {
+                        t = atol(loc + len + 1);
+                    }
+                    apr_table_set(r->headers_out,
+                                  status_options[i].hdr_out_str,
+                                  apr_ltoa(r->pool, t < 1 ? 1 : t));
                     break;
+                }
                 case STAT_OPT_NOTABLE:
                     no_table_report = 1;
                     break;