From: Ruediger Pluem <rpluem@apache.org>
Date: Tue, 5 Aug 2008 19:01:50 +0000 (+0000)
Subject: Merge r682868 from trunk:
X-Git-Tag: 2.2.10~122
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=447309689a7970bf8a7e00eb9d44a115acb8f6a3;p=thirdparty%2Fapache%2Fhttpd.git

Merge r682868 from trunk:

* Prevent XSS attacks when using wildcards in the path of the FTP URL.
  Discovered by Marc Bevand of Rapid7.

CVE: CVE-2008-2939
Submitted by: rpluem
Reviewed by: rpluem, mjc, jim, jorton


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.2.x@682870 13f79535-47bb-0310-9956-ffa450edef68
---

diff --git a/CHANGES b/CHANGES
index dcd4361c51e..0543571a8ee 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,6 +1,10 @@
                                                          -*- coding: utf-8 -*-
 Changes with Apache 2.2.10
 
+  *) SECURITY: CVE-2008-2939 (cve.mitre.org)
+     mod_proxy_ftp: Prevent XSS attacks when using wildcards in the path of
+     the FTP URL. Discovered by Marc Bevand of Rapid7. [Ruediger Pluem]
+
   *) mod_proxy_http: Do not forward requests with 'Expect: 100-continue' to
      known HTTP/1.0 servers. Return 'Expectation failed' (417) instead.
      [Ruediger Pluem]
diff --git a/modules/proxy/mod_proxy_ftp.c b/modules/proxy/mod_proxy_ftp.c
index 75a2054e542..aca1cc40eaa 100644
--- a/modules/proxy/mod_proxy_ftp.c
+++ b/modules/proxy/mod_proxy_ftp.c
@@ -383,6 +383,7 @@ static apr_status_t proxy_send_dir_filter(ap_filter_t *f,
                                                            c->bucket_alloc));
         }
         if (wildcard != NULL) {
+            wildcard = ap_escape_html(p, wildcard);
             APR_BRIGADE_INSERT_TAIL(out, apr_bucket_pool_create(wildcard,
                                                            strlen(wildcard), p,
                                                            c->bucket_alloc));