From: Joe Orton <jorton@apache.org>
Date: Tue, 17 Jul 2007 15:10:05 +0000 (+0000)
Subject: Merge r549159 from trunk:
X-Git-Tag: 2.2.5~154
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=5440567c01e12c057066d95aea56477e1f53714a;p=thirdparty%2Fapache%2Fhttpd.git

Merge r549159 from trunk:

Fix CVE-2006-5752:

* modules/generators/mod_status.c (status_handler): Specify charset in
content-type to prevent browsers doing charset "detection", which
allows an XSS attack.  Use logitem-escaping on the request string to
make it charset-neutral.

Reported by: Stefan Esser <sesser hardened-php.net>
Submitted by: jorton
Reviewed by: jorton, fuankg, rpluem


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.2.x@556941 13f79535-47bb-0310-9956-ffa450edef68
---

diff --git a/CHANGES b/CHANGES
index 6a4b87bab56..f75bcd7b2ec 100644
--- a/CHANGES
+++ b/CHANGES
@@ -11,6 +11,11 @@ Changes with Apache 2.2.5
      be forced to kill processes outside its process group. 
      [Joe Orton, Jim Jagielski]
 
+  *) SECURITY: CVE-2006-5752 (cve.mitre.org)
+     mod_status: Fix a possible XSS attack against a site with a public
+     server-status page and ExtendedStatus enabled, for browsers which
+     perform charset "detection".  Reported by Stefan Esser.  [Joe Orton]
+
   *) mod_cache: Do not set Date or Expires when they are missing from
      the original response or are invalid.  [Justin Erenkrantz]
 
diff --git a/modules/generators/mod_status.c b/modules/generators/mod_status.c
index 7fb0f332f7a..b2a6ea28cc0 100644
--- a/modules/generators/mod_status.c
+++ b/modules/generators/mod_status.c
@@ -270,7 +270,7 @@ static int status_handler(request_rec *r)
     if (r->method_number != M_GET)
         return DECLINED;
 
-    ap_set_content_type(r, "text/html");
+    ap_set_content_type(r, "text/html; charset=ISO-8859-1");
 
     /*
      * Simple table-driven form data set parser that lets you alter the header
@@ -299,7 +299,7 @@ static int status_handler(request_rec *r)
                     no_table_report = 1;
                     break;
                 case STAT_OPT_AUTO:
-                    ap_set_content_type(r, "text/plain");
+                    ap_set_content_type(r, "text/plain; charset=ISO-8859-1");
                     short_report = 1;
                     break;
                 }
@@ -673,7 +673,8 @@ static int status_handler(request_rec *r)
                                ap_escape_html(r->pool,
                                               ws_record->client),
                                ap_escape_html(r->pool,
-                                              ws_record->request),
+                                              ap_escape_logitem(r->pool,
+                                                                ws_record->request)),
                                ap_escape_html(r->pool,
                                               ws_record->vhost));
                 }
@@ -763,7 +764,8 @@ static int status_handler(request_rec *r)
                                    ap_escape_html(r->pool,
                                                   ws_record->vhost),
                                    ap_escape_html(r->pool,
-                                                  ws_record->request));
+                                                  ap_escape_logitem(r->pool, 
+                                                                    ws_record->request)));
                 } /* no_table_report */
             } /* for (j...) */
         } /* for (i...) */