From: Sander Temme <sctemme@apache.org>
Date: Mon, 7 Jan 2008 02:31:11 +0000 (+0000)
Subject: Backport mod_status refresh parameter saniziting patch.
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=f65bd9ed82495386ef5c891c8e58eb421f75567a;p=thirdparty%2Fapache%2Fhttpd.git

Backport mod_status refresh parameter saniziting patch.


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/1.3.x@609486 13f79535-47bb-0310-9956-ffa450edef68
---

diff --git a/STATUS b/STATUS
index 4092abd7a1c..68e2e65ae7d 100644
--- a/STATUS
+++ b/STATUS
@@ -56,16 +56,6 @@ Release:
 
 RELEASE SHOWSTOPPERS:
 
-   *) SECURITY: CVE-2007-6388 (cve.mitre.org)
-      mod_status: Ensure refresh parameter is numeric to prevent
-      a possible XSS attack caused by redirecting to other URLs.
-      Reported by SecurityReason.  [Mark Cox]
-      Trunk version of patch: 
-        http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/generators/mod_status.c?r1=590641&r2=607873
-      1.3 version of patch attached to: 
-        http://mail-archives.apache.org/mod_mbox/httpd-dev/200801.mbox/%3c47813C93.4020507@apache.org%3e
-      +1: sctemme (with fuankg's change of default refresh time to 10 seconds in r607873), rpluem (as well +1 to secs), fuankg
-
 PROPOSED PATCHES FOR THIS RELEASE:
 
    *) mod_rewrite on Win32: change the mutex mechanism for RewriteLog
diff --git a/src/CHANGES b/src/CHANGES
index bddc850a9a3..67f4a5947d2 100644
--- a/src/CHANGES
+++ b/src/CHANGES
@@ -1,5 +1,9 @@
 Changes with Apache 1.3.41
 
+  *) SECURITY: CVE-2007-6388 (cve.mitre.org)
+     mod_status: Ensure refresh parameter is numeric to prevent
+     a possible XSS attack caused by redirecting to other URLs.
+     Reported by SecurityReason.  [Mark Cox]
 
 Changes with Apache 1.3.40
 
diff --git a/src/modules/standard/mod_status.c b/src/modules/standard/mod_status.c
index 526b194749a..68460eaf3e4 100644
--- a/src/modules/standard/mod_status.c
+++ b/src/modules/standard/mod_status.c
@@ -232,17 +232,15 @@ static int status_handler(request_rec *r)
 	while (status_options[i].id != STAT_OPT_END) {
 	    if ((loc = strstr(r->args, status_options[i].form_data_str)) != NULL) {
 		switch (status_options[i].id) {
-		case STAT_OPT_REFRESH:
-		    if (*(loc + strlen(status_options[i].form_data_str)) == '='
-                        && atol(loc + strlen(status_options[i].form_data_str) 
-                                    + 1) > 0)
-			ap_table_set(r->headers_out,
-			      status_options[i].hdr_out_str,
-			      loc + strlen(status_options[i].hdr_out_str) + 1);
-		    else
-			ap_table_set(r->headers_out,
-			      status_options[i].hdr_out_str, "1");
-		    break;
+                case STAT_OPT_REFRESH: {
+                    long refreshtime = 0;
+                    if (*(loc + strlen(status_options[i].form_data_str)) == '=')
+                        refreshtime = atol(loc + strlen(status_options[i].form_data_str)+1);
+                    ap_table_set(r->headers_out,
+                                 status_options[i].hdr_out_str,
+                                 ap_psprintf(r->pool,"%ld",(refreshtime<1)?10:refreshtime));
+                    break;
+                }
 		case STAT_OPT_NOTABLE:
 		    no_table_report = 1;
 		    break;