From: Mark J. Cox Date: Tue, 18 Apr 2006 15:30:13 +0000 (+0000) Subject: Thiago Zaninotti reported to security@apache.org on 20060410 a possible X-Git-Tag: 2.3.0~2446 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=50376d16bd3f5baac4494fe2ba77a949894eac84;p=thirdparty%2Fapache%2Fhttpd.git Thiago Zaninotti reported to security@apache.org on 20060410 a possible cross-site scripting flaw because the Expect header error message isn't escaped. We couldn't find a way that this could be used by an attacker however, as they can't influence the Expect header a victim will send to a target site. Thiago agreed and we're therefore not treating this as a security flaw, but it is a bug that ought to get fixed. I'll add to STATUS for 1.3/2.0/2.2 shortly for acks. git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@394965 13f79535-47bb-0310-9956-ffa450edef68 --- diff --git a/CHANGES b/CHANGES index bf250875cc3..68f4c855d11 100644 --- a/CHANGES +++ b/CHANGES @@ -2,6 +2,11 @@ Changes with Apache 2.3.0 [Remove entries to the current 2.0 and 2.2 section below, when backported] + *) HTML-escape the Expect error message. Not classed as security as + an attacker has no way to influence the Expect header a victim will + send to a target site. Reported by Thiago Zaninotti + . [Mark Cox] + *) mod_proxy_balancer: Initialize members of a balancer correctly. PR 38227. [James A. Robinson ] diff --git a/modules/http/http_protocol.c b/modules/http/http_protocol.c index 46ee7e6eb9d..a1ae9818834 100644 --- a/modules/http/http_protocol.c +++ b/modules/http/http_protocol.c @@ -996,7 +996,7 @@ static const char *get_canned_error_string(int status, "request-header" "\nfield could not be met by this server.

\n" "

The client sent

\n    Expect: ",
-                           apr_table_get(r->headers_in, "Expect"),
+                           ap_escape_html(r->pool, apr_table_get(r->headers_in, "Expect")),
                            "\n
\n" "but we only allow the 100-continue " "expectation.

\n",