From: Mark J. Cox <mjc@apache.org>
Date: Wed, 19 Apr 2006 08:28:04 +0000 (+0000)
Subject: Fix escaping of Expect error message
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=a0515c2dd98b0be8363997c0e0b4b9db690c7611;p=thirdparty%2Fapache%2Fhttpd.git

Fix escaping of Expect error message
http://svn.apache.org/viewcvs?rev=394965&view=rev
+1: mjc, trawick, wrowe


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/1.3.x@395171 13f79535-47bb-0310-9956-ffa450edef68
---

diff --git a/STATUS b/STATUS
index 1b30934305d..7ac33ce379f 100644
--- a/STATUS
+++ b/STATUS
@@ -51,12 +51,6 @@ Release:
 
 RELEASE SHOWSTOPPERS:
 
-   *) http_protocol: Fix escaping of Expect error message
-      http://svn.apache.org/viewcvs?rev=394965&view=rev
-      http://people.redhat.com/mjc/20060411-expect-apache13.patch
-      +1: mjc, trawick, wrowe
-
-
 PROPOSED PATCHES FOR THIS RELEASE:
 
    *) mod_rewrite on Win32: change the mutex mechanism for RewriteLog
diff --git a/src/CHANGES b/src/CHANGES
index 4e61abc32f1..ba2c64662c2 100644
--- a/src/CHANGES
+++ b/src/CHANGES
@@ -1,5 +1,10 @@
 Changes with Apache 1.3.35
 
+  *) HTML-escape the Expect error message.  Not classed as security as
+     an attacker has no way to influence the Expect header a victim will
+     send to a target site.  Reported by Thiago Zaninotti 
+     <thiango nstalker.com>. [Mark Cox]
+
   *) SECURITY: CVE-2005-3352 (cve.mitre.org)
      mod_imap: Escape untrusted referer header before outputting in HTML
      to avoid potential cross-site scripting.  Change also made to
diff --git a/src/main/http_protocol.c b/src/main/http_protocol.c
index 7ecba30edf3..6c0d6aba0b2 100644
--- a/src/main/http_protocol.c
+++ b/src/main/http_protocol.c
@@ -3137,7 +3137,7 @@ API_EXPORT(void) ap_send_error_response(request_rec *r, int recursive_error)
 	    ap_rvputs(r, "The expectation given in the Expect request-header"
 	              "\nfield could not be met by this server.<P>\n"
 	              "The client sent<PRE>\n    Expect: ",
-	              ap_table_get(r->headers_in, "Expect"), "\n</PRE>\n"
+	              ap_escape_html(r->pool, ap_table_get(r->headers_in, "Expect")), "\n</PRE>\n"
 	              "but we only allow the 100-continue expectation.\n",
 	              NULL);
 	    break;