From: Mark J. Cox <mjc@apache.org>
Date: Wed, 19 Apr 2006 08:33:19 +0000 (+0000)
Subject: http_protocol: Fix escaping of Expect error message
X-Git-Tag: 2.2.2~28
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=a5dd65b6268e6a66a3739330ee172599824f6209;p=thirdparty%2Fapache%2Fhttpd.git

http_protocol: Fix escaping of Expect error message
+1: mjc, trawick, rpluem, jim


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.2.x@395173 13f79535-47bb-0310-9956-ffa450edef68
---

diff --git a/CHANGES b/CHANGES
index 231b312070e..b652b4b7f25 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,6 +1,11 @@
                                                         -*- coding: utf-8 -*-
 Changes with Apache 2.2.2
 
+  *) HTML-escape the Expect error message.  Not classed as security as
+     an attacker has no way to influence the Expect header a victim will
+     send to a target site.  Reported by Thiago Zaninotti
+     <thiango nstalker.com>. [Mark Cox]
+
   *) htdbm: Warn the user when adding a plaintext password on a platform
      where it wouldn't work with the server (i.e., anywhere that has
      crypt()).  [Jeff Trawick]
diff --git a/STATUS b/STATUS
index 20250363713..abd06305893 100644
--- a/STATUS
+++ b/STATUS
@@ -71,13 +71,6 @@ CURRENT RELEASE NOTES:
 
 RELEASE SHOWSTOPPERS:
 
-    * http_protocol: Fix escaping of Expect error message
-        Trunk version of patch:
-          http://svn.apache.org/viewcvs?rev=394965&view=rev
-        2.2.x version of patch:
-          Trunk version with changed offsets
-       +1: mjc, trawick, rpluem, jim
-
 
 PATCHES ACCEPTED TO BACKPORT FROM TRUNK:
   [ start all new proposals below, under PATCHES PROPOSED. ]
diff --git a/modules/http/http_protocol.c b/modules/http/http_protocol.c
index 46ee7e6eb9d..a1ae9818834 100644
--- a/modules/http/http_protocol.c
+++ b/modules/http/http_protocol.c
@@ -996,7 +996,7 @@ static const char *get_canned_error_string(int status,
                            "request-header"
                            "\nfield could not be met by this server.</p>\n"
                            "<p>The client sent<pre>\n    Expect: ",
-                           apr_table_get(r->headers_in, "Expect"),
+                           ap_escape_html(r->pool, apr_table_get(r->headers_in, "Expect")),
                            "\n</pre>\n"
                            "but we only allow the 100-continue "
                            "expectation.</p>\n",