From: Joe Orton Date: Wed, 12 Dec 2007 12:36:54 +0000 (+0000) Subject: Fix CVE-2007-5000: X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=8e6437a2d3a2e4ce38382ff295653f0fdb9dd939;p=thirdparty%2Fapache%2Fhttpd.git Fix CVE-2007-5000: * src/modules/standard/mod_imap.c (menu_header): Fix cross-site scripting issue by escaping the URI, and ensure that a charset parameter is sent in the content-type to prevent autodetection by broken browsers. Reported by: JPCERT git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/1.3.x@603597 13f79535-47bb-0310-9956-ffa450edef68 --- diff --git a/src/CHANGES b/src/CHANGES index 5d8f71509d0..876990db1cd 100644 --- a/src/CHANGES +++ b/src/CHANGES @@ -1,5 +1,9 @@ Changes with Apache 1.3.40 + *) SECURITY: CVE-2007-5000 (cve.mitre.org) + mod_imap: Fix cross-site scripting issue. Reported by JPCERT. + [Joe Orton] + *) SECURITY: CVE-2007-3847 (cve.mitre.org) mod_proxy: Prevent reading past the end of a buffer when parsing date-related headers. PR 41144. diff --git a/src/modules/standard/mod_imap.c b/src/modules/standard/mod_imap.c index fc9e1b455e8..ff2d2848e12 100644 --- a/src/modules/standard/mod_imap.c +++ b/src/modules/standard/mod_imap.c @@ -463,7 +463,7 @@ static int imap_reply(request_rec *r, char *redirect) static void menu_header(request_rec *r, char *menu) { - r->content_type = "text/html"; + r->content_type = "text/html; charset=ISO-8859-1"; ap_send_http_header(r); #ifdef CHARSET_EBCDIC /* Server-generated response, converted */ @@ -471,11 +471,13 @@ static void menu_header(request_rec *r, char *menu) #endif ap_hard_timeout("send menu", r); /* killed in menu_footer */ - ap_rvputs(r, DOCTYPE_HTML_3_2, "\nMenu for ", r->uri, - "\n\n", NULL); + ap_rvputs(r, DOCTYPE_HTML_3_2, "\nMenu for ", + ap_escape_html(r->pool, r->uri), + "\n\n", NULL); if (!strcasecmp(menu, "formatted")) { - ap_rvputs(r, "

Menu for ", r->uri, "

\n
\n\n", NULL); + ap_rvputs(r, "

Menu for ", ap_escape_html(r->pool, r->uri), + "

\n
\n\n", NULL); } return;