From: Jeff Trawick <trawick@apache.org>
Date: Sat, 15 Dec 2007 13:32:51 +0000 (+0000)
Subject: merge r603346 from trunk:
X-Git-Tag: 2.0.62~42
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=dc414718acd0f5b7d50b44c67038651cae5d7754;p=thirdparty%2Fapache%2Fhttpd.git

merge r603346 from trunk:

  http_protocol: Escape request method in 405 error reporting.
  This has no security impact since the browser cannot be tricked
  into sending arbitrary method strings.

Reviewed by: wrowe, rpluem


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.0.x@604426 13f79535-47bb-0310-9956-ffa450edef68
---

diff --git a/CHANGES b/CHANGES
index a44cfe5d4ac..9e5e3002569 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,6 +1,10 @@
                                                          -*- coding: utf-8 -*-
 Changes with Apache 2.0.62
 
+  *) http_protocol: Escape request method in 405 error reporting.
+     This has no security impact since the browser cannot be tricked
+     into sending arbitrary method strings.  [Jeff Trawick]
+
   *) http_protocol: Escape request method in 413 error reporting.
      Determined to be not generally exploitable, but a flaw in any case.
      PR 44014 [Victor Stinner <victor.stinner inl.fr>]
diff --git a/STATUS b/STATUS
index edddadc25c8..511ec53d640 100644
--- a/STATUS
+++ b/STATUS
@@ -129,13 +129,6 @@ RELEASE SHOWSTOPPERS:
 PATCHES ACCEPTED TO BACKPORT FROM TRUNK:
   [ start all new proposals below, under PATCHES PROPOSED. ]
 
-  * http_protocol: Escape request method in 405 error reporting.
-    Trunk:
-      http://svn.apache.org/viewvc?view=rev&revision=603346
-    2.0.x:
-      Trunk patch applies.
-    +1: trawick, wrowe, rpluem
-
 PATCHES PROPOSED TO BACKPORT FROM TRUNK:
   [ please place SVN revisions from trunk here, so it is easy to
     identify exactly what the proposed changes are!  Add all new
diff --git a/modules/http/http_protocol.c b/modules/http/http_protocol.c
index d521842b7b6..deff80bc399 100644
--- a/modules/http/http_protocol.c
+++ b/modules/http/http_protocol.c
@@ -2182,7 +2182,8 @@ static const char *get_canned_error_string(int status,
                            NULL));
     case HTTP_METHOD_NOT_ALLOWED:
         return(apr_pstrcat(p,
-                           "<p>The requested method ", r->method,
+                           "<p>The requested method ",
+                           ap_escape_html(r->pool, r->method),
                            " is not allowed for the URL ",
                            ap_escape_html(r->pool, r->uri),
                            ".</p>\n",