From: Jim Jagielski <jim@apache.org>
Date: Fri, 14 Dec 2007 13:46:43 +0000 (+0000)
Subject: Merge r603346 from trunk:
X-Git-Tag: 2.2.7~96
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=9aa8b50784370e38cdb8eba01786ca4145b1b0c5;p=thirdparty%2Fapache%2Fhttpd.git

Merge r603346 from trunk:

http_protocol: Escape request method in 405 error reporting.
This has no security impact since the browser cannot be tricked
into sending arbitrary method strings.

(words from jorton)

Submitted by: trawick
Reviewed by: jim


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.2.x@604192 13f79535-47bb-0310-9956-ffa450edef68
---

diff --git a/CHANGES b/CHANGES
index 73f3bd72603..f507b015687 100644
--- a/CHANGES
+++ b/CHANGES
@@ -5,6 +5,10 @@ Changes with Apache 2.2.7
      mod_imagemap: Fix a cross-site scripting issue.  Reported by JPCERT.
      [Joe Orton]  
 
+  *) http_protocol: Escape request method in 405 error reporting.
+     This has no security impact since the browser cannot be tricked
+     into sending arbitrary method strings.  [Jeff Trawick]
+
   *) mod_proxy_ajp: Use 64K as maximum AJP packet size. This is the maximum
      length we can squeeze inside the AJP message packet.
      [Mladen Turk]
diff --git a/STATUS b/STATUS
index 0aeb739aa1a..226a992bd49 100644
--- a/STATUS
+++ b/STATUS
@@ -79,12 +79,6 @@ RELEASE SHOWSTOPPERS:
 PATCHES ACCEPTED TO BACKPORT FROM TRUNK:
   [ start all new proposals below, under PATCHES PROPOSED. ]
 
-   * escape input method in 405 canned error response
-     trunk:
-       http://svn.apache.org/viewvc?view=rev&revision=603346
-     2.2.x:
-       trunk patch applies
-     +1: trawick, wrowe, covener
 
 PATCHES PROPOSED TO BACKPORT FROM TRUNK:
   [ New proposals should be added at the end of the list ]
diff --git a/modules/http/http_protocol.c b/modules/http/http_protocol.c
index 71d1e9d1a63..87f3f3079a8 100644
--- a/modules/http/http_protocol.c
+++ b/modules/http/http_protocol.c
@@ -913,7 +913,8 @@ static const char *get_canned_error_string(int status,
                            NULL));
     case HTTP_METHOD_NOT_ALLOWED:
         return(apr_pstrcat(p,
-                           "<p>The requested method ", r->method,
+                           "<p>The requested method ",
+                           ap_escape_html(r->pool, r->method),
                            " is not allowed for the URL ",
                            ap_escape_html(r->pool, r->uri),
                            ".</p>\n",