From: Ruediger Pluem <rpluem@apache.org>
Date: Wed, 2 Jan 2008 10:01:11 +0000 (+0000)
Subject: Merge r607282 from trunk:
X-Git-Tag: 2.0.62~9
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=f6a1bc713603bdc5a61e8d45d4d65227269e084e;p=thirdparty%2Fapache%2Fhttpd.git

Merge r607282 from trunk:

* Ensure refresh parameter is numeric to prevent a possible XSS attack caused
  by redirecting to other URLs. Reported by SecurityReason.

Submitted by: Mark Cox, Joe Orton
Reviewed by: rpluem, fuankg, wrowe


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.0.x@608068 13f79535-47bb-0310-9956-ffa450edef68
---

diff --git a/CHANGES b/CHANGES
index f11a1e9f867..7dd99a6ccf2 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,6 +1,11 @@
                                                          -*- coding: utf-8 -*-
 Changes with Apache 2.0.62
 
+  *) SECURITY: CVE-2007-6388 (cve.mitre.org)
+     mod_status: Ensure refresh parameter is numeric to prevent
+     a possible XSS attack caused by redirecting to other URLs. 
+     Reported by SecurityReason.  [Mark Cox, Joe Orton]
+
   *) SECURITY: CVE-2007-5000 (cve.mitre.org)
      mod_imagemap: Fix a cross-site scripting issue.  Reported by JPCERT.
      [Joe Orton]
diff --git a/STATUS b/STATUS
index 311dc847151..d3bacd289a4 100644
--- a/STATUS
+++ b/STATUS
@@ -126,15 +126,6 @@ RELEASE SHOWSTOPPERS:
 PATCHES ACCEPTED TO BACKPORT FROM TRUNK:
   [ start all new proposals below, under PATCHES PROPOSED. ]
 
- * mod_status: Ensure refresh parameter is numeric to prevent a possible XSS
-   attack caused by redirecting to other URLs.
-    Trunk version of patch:
-       http://svn.apache.org/viewvc?rev=607282&view=rev
-    Backport version for 2.0.x of patch:
-       http://awe.com/e8f6ad05238f8/CVE-2007-6388-httpd-2.x.patch
-    +1: rpluem, fuankg, wrowe
-    wrowe is +1 for having that default to a value of 10 instead of 1 @ln# 307
-
 PATCHES PROPOSED TO BACKPORT FROM TRUNK:
   [ please place SVN revisions from trunk here, so it is easy to
     identify exactly what the proposed changes are!  Add all new
diff --git a/modules/generators/mod_status.c b/modules/generators/mod_status.c
index cb176ce09cf..ba978d63bd4 100644
--- a/modules/generators/mod_status.c
+++ b/modules/generators/mod_status.c
@@ -71,6 +71,7 @@
 #endif
 #define APR_WANT_STRFUNC
 #include "apr_want.h"
+#include "apr_strings.h"
 
 #ifdef NEXT
 #if (NX_CURRENT_COMPILER_RELEASE == 410)
@@ -281,19 +282,18 @@ static int status_handler(request_rec *r)
             if ((loc = ap_strstr_c(r->args,
                                    status_options[i].form_data_str)) != NULL) {
                 switch (status_options[i].id) {
-                case STAT_OPT_REFRESH:
-                    if (*(loc + strlen(status_options[i].form_data_str)) == '='
-                        && atol(loc + strlen(status_options[i].form_data_str)
-                                + 1) > 0)
-                        apr_table_set(r->headers_out,
-                                      status_options[i].hdr_out_str,
-                                      loc + 
-                                      strlen(status_options[i].hdr_out_str) +
-                                      1);
-                    else
-                        apr_table_set(r->headers_out,
-                                      status_options[i].hdr_out_str, "1");
+                case STAT_OPT_REFRESH: {
+                    apr_size_t len = strlen(status_options[i].form_data_str);
+                    long t = 0;
+
+                    if (*(loc + len ) == '=') {
+                        t = atol(loc + len + 1);
+                    }
+                    apr_table_set(r->headers_out,
+                                  status_options[i].hdr_out_str,
+                                  apr_ltoa(r->pool, t < 1 ? 10 : t));
                     break;
+                }
                 case STAT_OPT_NOTABLE:
                     no_table_report = 1;
                     break;