From: Rainer Jung <rjung@apache.org>
Date: Fri, 17 Aug 2012 20:17:59 +0000 (+0000)
Subject: mod_negotiation: Escape filenames in variant list
X-Git-Tag: 2.2.23~33
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=0a0b0b3b90986feb9a12f041f4425832d309c269;p=thirdparty%2Fapache%2Fhttpd.git

mod_negotiation: Escape filenames in variant list
to prevent an possible XSS for a site where untrusted
users can upload files to a location with MultiViews
enabled.

SECURITY: CVE-2012-2687 (cve.mitre.org):

Submitted by: Niels Heinen <heinenn google.com>

Reviewed by: trawick, wrowe
Backported by: rjung


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.2.x@1374421 13f79535-47bb-0310-9956-ffa450edef68
---

diff --git a/CHANGES b/CHANGES
index d2d7fce91ce..fdf2524dfab 100644
--- a/CHANGES
+++ b/CHANGES
@@ -5,6 +5,11 @@ Changes with Apache 2.2.23
      envvars: Fix insecure handling of LD_LIBRARY_PATH that could lead to the
      current working directory to be searched for DSOs. [Stefan Fritsch]
 
+  *) SECURITY: CVE-2012-2687 (cve.mitre.org)
+     mod_negotiation: Escape filenames in variant list to prevent an
+     possible XSS for a site where untrusted users can upload files to
+     a location with MultiViews enabled. [Niels Heinen <heinenn google.com>]
+
   *) mod_proxy_ajp: Add support for 'ProxyErrorOverride on'. PR 50945.
      [Peter Pramberger <peter pramberger.at>, Jim Jagielski]
 
diff --git a/STATUS b/STATUS
index 41809cc8c13..598bd7cd778 100644
--- a/STATUS
+++ b/STATUS
@@ -93,15 +93,6 @@ RELEASE SHOWSTOPPERS:
 PATCHES ACCEPTED TO BACKPORT FROM TRUNK:
   [ start all new proposals below, under PATCHES PROPOSED. ]
 
-   * mod_negotiation: Escape filenames in variant list to prevent an
-     possible XSS for a site where untrusted users can upload files to a
-     location with MultiViews enabled.
-     SECURITY: CVE-2012-2687 (cve.mitre.org):
-     Submitted by: Niels Heinen <heinenn google.com>
-     trunk patch: http://svn.apache.org/viewvc?view=revision&revision=1349905
-     2.4.x patch: http://svn.apache.org/viewvc?view=revision&revision=1356889
-     2.2.x patch: trunk patch applies
-     +1: rjung, trawick, wrowe
 
 PATCHES PROPOSED TO BACKPORT FROM TRUNK:
   [ New proposals should be added at the end of the list ]
diff --git a/modules/mappers/mod_negotiation.c b/modules/mappers/mod_negotiation.c
index 25e60348b77..ef4a72aba93 100644
--- a/modules/mappers/mod_negotiation.c
+++ b/modules/mappers/mod_negotiation.c
@@ -2658,9 +2658,9 @@ static char *make_variant_list(request_rec *r, negotiation_state *neg)
          * need to change the calculation of max_vlist_array above.
          */
         *((const char **) apr_array_push(arr)) = "<li><a href=\"";
-        *((const char **) apr_array_push(arr)) = filename;
+        *((const char **) apr_array_push(arr)) = ap_escape_path_segment(r->pool, filename);
         *((const char **) apr_array_push(arr)) = "\">";
-        *((const char **) apr_array_push(arr)) = filename;
+        *((const char **) apr_array_push(arr)) = ap_escape_html(r->pool, filename);
         *((const char **) apr_array_push(arr)) = "</a> ";
         *((const char **) apr_array_push(arr)) = description;