From 6fcb57c89b571a9b53fa9f48bbf46f33e649a727 Mon Sep 17 00:00:00 2001
From: "Mark J. Cox" <mjc@apache.org>
Date: Wed, 19 Apr 2006 08:31:28 +0000
Subject: [PATCH] http_protocol: Fix escaping of Expect error message       
 +1: mjc, trawick, rpluem, jim

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.0.x@395172 13f79535-47bb-0310-9956-ffa450edef68
---
 CHANGES                      | 7 ++++++-
 STATUS                       | 7 -------
 modules/http/http_protocol.c | 2 +-
 3 files changed, 7 insertions(+), 9 deletions(-)

diff --git a/CHANGES b/CHANGES
index f7171f085ca..1710b7d2271 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,8 +1,13 @@
                                                          -*- coding: utf-8 -*-
 Changes with Apache 2.0.57
 
-Changes with Apache 2.0.56
+  *) HTML-escape the Expect error message.  Not classed as security as
+     an attacker has no way to influence the Expect header a victim will
+     send to a target site.  Reported by Thiago Zaninotti
+     <thiango nstalker.com>. [Mark Cox]
     
+Changes with Apache 2.0.56
+
   *) SECURITY: CVE-2005-3357 (cve.mitre.org)
      mod_ssl: Fix a possible crash during access control checks if a
      non-SSL request is processed for an SSL vhost (such as the
diff --git a/STATUS b/STATUS
index c164d827703..8c0a38ca75c 100644
--- a/STATUS
+++ b/STATUS
@@ -107,13 +107,6 @@ CURRENT RELEASE NOTES:
 
 RELEASE SHOWSTOPPERS:
 
-    *) http_protocol: Fix escaping of Expect error message
-        Trunk version of patch:
-          http://svn.apache.org/viewcvs?rev=394965&view=rev
-        2.0.x version of patch:
-          Trunk version with changed offsets
-      +1: mjc, trawick, rpluem, jim
-
 
 PATCHES ACCEPTED TO BACKPORT FROM TRUNK:
   [ start all new proposals below, under PATCHES PROPOSED. ]
diff --git a/modules/http/http_protocol.c b/modules/http/http_protocol.c
index a523be9e432..543f4d1555c 100644
--- a/modules/http/http_protocol.c
+++ b/modules/http/http_protocol.c
@@ -2268,7 +2268,7 @@ static const char *get_canned_error_string(int status,
                            "request-header"
                            "\nfield could not be met by this server.</p>\n"
                            "<p>The client sent<pre>\n    Expect: ",
-                           apr_table_get(r->headers_in, "Expect"),
+                           ap_escape_html(r->pool, apr_table_get(r->headers_in, "Expect")),
                            "\n</pre>\n"
                            "but we only allow the 100-continue "
                            "expectation.</p>\n",
-- 
2.47.2