From: William A. Rowe Jr <wrowe@apache.org>
Date: Wed, 12 Dec 2007 19:38:26 +0000 (+0000)
Subject: Fix CVE-2007-5000:
X-Git-Tag: 2.2.7~105
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=a8008a682eec47a9d93f919f61239b11a474dda7;p=thirdparty%2Fapache%2Fhttpd.git

Fix CVE-2007-5000:

* modules/mappers/mod_imagemap.c (menu_header): Fix
  cross-site-scripting issue by escaping the URI, and ensure that a
  charset parameter is sent in the content-type to prevent
  autodetection by broken browsers.

Reported by: JPCERT

Backports: r603282
Submitted by: jorton
Reviewed by: rpluem, trawick, wrowe


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.2.x@603711 13f79535-47bb-0310-9956-ffa450edef68
---

diff --git a/CHANGES b/CHANGES
index 260a89ec6f3..07e96909e15 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,6 +1,10 @@
                                                         -*- coding: utf-8 -*-
 Changes with Apache 2.2.7
 
+  *) SECURITY: CVE-2007-5000 (cve.mitre.org)
+     mod_imagemap: Fix a cross-site scripting issue.  Reported by JPCERT.
+     [Joe Orton]  
+
   *) core: Fix broken chunk filtering that causes all non blocking reads to be
      converted into blocking reads.  PR 19954, 41056.
      [Jean-Frederic Clere, Jim Jagielski]
diff --git a/STATUS b/STATUS
index 50299e0355c..0de4642e30a 100644
--- a/STATUS
+++ b/STATUS
@@ -85,13 +85,6 @@ PATCHES ACCEPTED TO BACKPORT FROM TRUNK:
      2.2.x version of the patch works
      +1 mturk, fuankg, rpluem
 
-   * SECURITY: mod_imagemap: fix XSS issue (CVE-2007-2500)
-      Trunk version of patch:
-        http://svn.apache.org/viewvc?rev=603282&view=rev
-     Backport version for 2.2.x of patch:
-        Trunk version of patch works (will add CHANGES entry too)
-     +1: jorton, rpluem, trawick
-
 PATCHES PROPOSED TO BACKPORT FROM TRUNK:
   [ New proposals should be added at the end of the list ]
 
diff --git a/modules/mappers/mod_imagemap.c b/modules/mappers/mod_imagemap.c
index f4dce5ff20e..f6741d35b4e 100644
--- a/modules/mappers/mod_imagemap.c
+++ b/modules/mappers/mod_imagemap.c
@@ -479,13 +479,16 @@ static int imap_reply(request_rec *r, char *redirect)
 
 static void menu_header(request_rec *r, char *menu)
 {
-    ap_set_content_type(r, "text/html");
+    ap_set_content_type(r, "text/html; charset=ISO-8859-1");
 
-    ap_rvputs(r, DOCTYPE_HTML_3_2, "<html><head>\n<title>Menu for ", r->uri,
-           "</title>\n</head><body>\n", NULL);
+    ap_rvputs(r, DOCTYPE_HTML_3_2, "<html><head>\n<title>Menu for ", 
+              ap_escape_html(r->pool, r->uri),
+              "</title>\n</head><body>\n", NULL);
 
     if (!strcasecmp(menu, "formatted")) {
-        ap_rvputs(r, "<h1>Menu for ", r->uri, "</h1>\n<hr />\n\n", NULL);
+        ap_rvputs(r, "<h1>Menu for ", 
+                  ap_escape_html(r->pool, r->uri),
+                  "</h1>\n<hr />\n\n", NULL);
     }
 
     return;