From: Joe Orton Date: Wed, 13 Jun 2012 15:33:48 +0000 (+0000) Subject: SECURITY: CVE-2012-2687 (cve.mitre.org): X-Git-Tag: 2.5.0-alpha~6739 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=885e76bebb7f8a1eeb5c72d3c217dd94fd6a8556;p=thirdparty%2Fapache%2Fhttpd.git SECURITY: CVE-2012-2687 (cve.mitre.org): mod_negotiation: Escape filenames in variant list to prevent an possible XSS for a site where untrusted users can upload files to a location with MultiViews enabled. * modules/mappers/mod_negotiation.c (make_variant_list): Escape filenames in variant list. Submitted by: Niels Heinen git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1349905 13f79535-47bb-0310-9956-ffa450edef68 --- diff --git a/CHANGES b/CHANGES index 57bd37e84c3..b4c20abc7c8 100644 --- a/CHANGES +++ b/CHANGES @@ -1,6 +1,11 @@ -*- coding: utf-8 -*- Changes with Apache 2.5.0 + *) SECURITY: CVE-2012-2687 (cve.mitre.org) + mod_negotiation: Escape filenames in variant list to prevent an + possible XSS for a site where untrusted users can upload files to + a location with MultiViews enabled. [Niels Heinen ] + *) mod_ssl: If exiting during initialization because of a fatal error, log a message to the main error log pointing to the appropriate virtual host error log. [Stefan Fritsch] diff --git a/modules/mappers/mod_negotiation.c b/modules/mappers/mod_negotiation.c index cba118c611d..5f3232b8a55 100644 --- a/modules/mappers/mod_negotiation.c +++ b/modules/mappers/mod_negotiation.c @@ -2656,9 +2656,9 @@ static char *make_variant_list(request_rec *r, negotiation_state *neg) * need to change the calculation of max_vlist_array above. */ *((const char **) apr_array_push(arr)) = "
  • pool, filename); *((const char **) apr_array_push(arr)) = "\">"; - *((const char **) apr_array_push(arr)) = filename; + *((const char **) apr_array_push(arr)) = ap_escape_html(r->pool, filename); *((const char **) apr_array_push(arr)) = " "; *((const char **) apr_array_push(arr)) = description;