From 8e84437725dff26d86d2efb58ef8af1bf918604b Mon Sep 17 00:00:00 2001
From: Rainer Jung <rjung@apache.org>
Date: Mon, 18 Feb 2013 16:52:21 +0000
Subject: [PATCH] - various mods: host and URI escaping:   Be sure to escape
 potential troubled strings,   add missing html escaping - const fixes for
 mod_imagemap

Submitted by: jim, sf, covener
Backported by: rjung
Reviewed by: rpluem, wrowe

Backport of r1413732, r1418752, r1416889, r1422234 and r1422253
from trunk resp. r1418941 and r1425750 from 2.4.x.


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.2.x@1447390 13f79535-47bb-0310-9956-ffa450edef68
---
 CHANGES                            |  4 ++++
 STATUS                             | 12 ----------
 modules/generators/mod_info.c      |  3 ++-
 modules/generators/mod_status.c    |  3 ++-
 modules/ldap/util_ldap_cache_mgr.c |  2 +-
 modules/mappers/mod_imagemap.c     | 38 +++++++++++++++++++-----------
 modules/proxy/mod_proxy_balancer.c |  8 ++++---
 modules/proxy/mod_proxy_ftp.c      |  4 +++-
 8 files changed, 41 insertions(+), 33 deletions(-)

diff --git a/CHANGES b/CHANGES
index ca458741358..cca5491a66a 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,6 +1,10 @@
                                                          -*- coding: utf-8 -*-
 Changes with Apache 2.2.24
 
+  *) mod_status, mod_info, mod_proxy_ftp, mod_proxy_balancer, mod_imagemap,
+     mod_ldap: Improve escaping of hostname and URIs HTML output.
+     [Jim Jagielski, Stefan Fritsch]
+
   *) mod_ssl: Send the error message for speaking http to an https port using
      HTTP/1.0 instead of HTTP/0.9, and omit the link that may be wrong when
      using SNI. PR 50823. [Stefan Fritsch]
diff --git a/STATUS b/STATUS
index cb16f9e022b..f4b9a986da0 100644
--- a/STATUS
+++ b/STATUS
@@ -94,18 +94,6 @@ RELEASE SHOWSTOPPERS:
 PATCHES ACCEPTED TO BACKPORT FROM TRUNK:
   [ start all new proposals below, under PATCHES PROPOSED. ]
 
-   * various mods: host and URI escaping. Includes needed constification
-     fix for mod_imagemap.
-     trunk patch: http://svn.apache.org/viewvc?view=revision&revision=1413732
-                  http://svn.apache.org/viewvc?view=revision&revision=1418752
-                  http://svn.apache.org/viewvc?view=revision&revision=1416889
-                  http://svn.apache.org/viewvc?view=revision&revision=1422234
-                  http://svn.apache.org/viewvc?view=revision&revision=1422253
-     2.4.x patch: http://svn.apache.org/viewvc?view=revision&revision=1418941
-                  http://svn.apache.org/viewvc?view=revision&revision=1425750
-     2.2.x patch: http://people.apache.org/~rjung/patches/host-and-uri-escaping-2_2.patch
-     +1: rjung, rpluem, wrowe
-
 PATCHES PROPOSED TO BACKPORT FROM TRUNK:
   [ New proposals should be added at the end of the list ]
 
diff --git a/modules/generators/mod_info.c b/modules/generators/mod_info.c
index 297953fd0a2..d924f20a05a 100644
--- a/modules/generators/mod_info.c
+++ b/modules/generators/mod_info.c
@@ -371,7 +371,8 @@ static int show_server_settings(request_rec * r)
                MODULE_MAGIC_NUMBER_MINOR);
     ap_rprintf(r,
                "<dt><strong>Hostname/port:</strong> "
-               "<tt>%s:%u</tt></dt>\n", ap_get_server_name(r),
+               "<tt>%s:%u</tt></dt>\n",
+               ap_escape_html(r->pool, ap_get_server_name(r)),
                ap_get_server_port(r));
     ap_rprintf(r,
                "<dt><strong>Timeouts:</strong> "
diff --git a/modules/generators/mod_status.c b/modules/generators/mod_status.c
index bcf9b10c4ac..1c64d6e2509 100644
--- a/modules/generators/mod_status.c
+++ b/modules/generators/mod_status.c
@@ -409,7 +409,8 @@ static int status_handler(request_rec *r)
                  "<html><head>\n<title>Apache Status</title>\n</head><body>\n",
                  r);
         ap_rputs("<h1>Apache Server Status for ", r);
-        ap_rvputs(r, ap_get_server_name(r), "</h1>\n\n", NULL);
+        ap_rvputs(r, ap_escape_html(r->pool, ap_get_server_name(r)),
+                  "</h1>\n\n", NULL);
         ap_rvputs(r, "<dl><dt>Server Version: ",
                   ap_get_server_description(), "</dt>\n", NULL);
         ap_rvputs(r, "<dt>Server Built: ",
diff --git a/modules/ldap/util_ldap_cache_mgr.c b/modules/ldap/util_ldap_cache_mgr.c
index b0283715948..4d71606289c 100644
--- a/modules/ldap/util_ldap_cache_mgr.c
+++ b/modules/ldap/util_ldap_cache_mgr.c
@@ -541,7 +541,7 @@ char *util_ald_cache_display_stats(request_rec *r, util_ald_cache_t *cache, char
     if (id) {
         buf2 = apr_psprintf(p,
                  "<a href=\"%s?%s\">%s</a>",
-             r->uri,
+             ap_escape_html(r->pool, ap_escape_uri(r->pool, r->uri)),
              id,
              name);
     }
diff --git a/modules/mappers/mod_imagemap.c b/modules/mappers/mod_imagemap.c
index f6741d35b4e..4f365fb7b90 100644
--- a/modules/mappers/mod_imagemap.c
+++ b/modules/mappers/mod_imagemap.c
@@ -320,7 +320,7 @@ static void read_quoted(char **string, char **quoted_part)
 /*
  * returns the mapped URL or NULL.
  */
-static char *imap_url(request_rec *r, const char *base, const char *value)
+static const char *imap_url(request_rec *r, const char *base, const char *value)
 {
 /* translates a value into a URL. */
     int slen, clen;
@@ -342,7 +342,7 @@ static char *imap_url(request_rec *r, const char *base, const char *value)
     if (!strcasecmp(value, "referer")) {
         referer = apr_table_get(r->headers_in, "Referer");
         if (referer && *referer) {
-            return ap_escape_html(r->pool, referer);
+            return referer;
         }
         else {
             /* XXX:  This used to do *value = '\0'; ... which is totally bogus
@@ -459,7 +459,7 @@ static char *imap_url(request_rec *r, const char *base, const char *value)
     return my_base;
 }
 
-static int imap_reply(request_rec *r, char *redirect)
+static int imap_reply(request_rec *r, const char *redirect)
 {
     if (!strcasecmp(redirect, "error")) {
         /* they actually requested an error! */
@@ -523,42 +523,52 @@ static void menu_comment(request_rec *r, char *menu, char *comment)
                                    'formatted' form */
 }
 
-static void menu_default(request_rec *r, char *menu, char *href, char *text)
+static void menu_default(request_rec *r, const char *menu, const char *href, const char *text)
 {
+    char *ehref, *etext;
     if (!strcasecmp(href, "error") || !strcasecmp(href, "nocontent")) {
         return;                 /* don't print such lines, these aren't
                                    really href's */
     }
+
+    ehref = ap_escape_uri(r->pool, href);
+    etext = ap_escape_html(r->pool, text);
+
     if (!strcasecmp(menu, "formatted")) {
-        ap_rvputs(r, "<pre>(Default) <a href=\"", href, "\">", text,
+        ap_rvputs(r, "<pre>(Default) <a href=\"", ehref, "\">", etext,
                "</a></pre>\n", NULL);
     }
     if (!strcasecmp(menu, "semiformatted")) {
-        ap_rvputs(r, "<pre>(Default) <a href=\"", href, "\">", text,
+        ap_rvputs(r, "<pre>(Default) <a href=\"", ehref, "\">", etext,
                "</a></pre>\n", NULL);
     }
     if (!strcasecmp(menu, "unformatted")) {
-        ap_rvputs(r, "<a href=\"", href, "\">", text, "</a>", NULL);
+        ap_rvputs(r, "<a href=\"", ehref, "\">", etext, "</a>", NULL);
     }
     return;
 }
 
-static void menu_directive(request_rec *r, char *menu, char *href, char *text)
+static void menu_directive(request_rec *r, const char *menu, const char *href, const char *text)
 {
+    char *ehref, *etext;
     if (!strcasecmp(href, "error") || !strcasecmp(href, "nocontent")) {
         return;                 /* don't print such lines, as this isn't
                                    really an href */
     }
+
+    ehref = ap_escape_uri(r->pool, href);
+    etext = ap_escape_html(r->pool, text);
+
     if (!strcasecmp(menu, "formatted")) {
-        ap_rvputs(r, "<pre>          <a href=\"", href, "\">", text,
+        ap_rvputs(r, "<pre>          <a href=\"", ehref, "\">", etext,
                "</a></pre>\n", NULL);
     }
     if (!strcasecmp(menu, "semiformatted")) {
-        ap_rvputs(r, "<pre>          <a href=\"", href, "\">", text,
+        ap_rvputs(r, "<pre>          <a href=\"", ehref, "\">", etext,
                "</a></pre>\n", NULL);
     }
     if (!strcasecmp(menu, "unformatted")) {
-        ap_rvputs(r, "<a href=\"", href, "\">", text, "</a>", NULL);
+        ap_rvputs(r, "<a href=\"", ehref, "\">", etext, "</a>", NULL);
     }
     return;
 }
@@ -574,9 +584,9 @@ static int imap_handler_internal(request_rec *r)
     char *directive;
     char *value;
     char *href_text;
-    char *base;
-    char *redirect;
-    char *mapdflt;
+    const char *base;
+    const char *redirect;
+    const char *mapdflt;
     char *closest = NULL;
     double closest_yet = -1;
     apr_status_t status;
diff --git a/modules/proxy/mod_proxy_balancer.c b/modules/proxy/mod_proxy_balancer.c
index 325fdb21196..cc040066613 100644
--- a/modules/proxy/mod_proxy_balancer.c
+++ b/modules/proxy/mod_proxy_balancer.c
@@ -829,7 +829,8 @@ static int balancer_handler(request_rec *r)
         ap_rputs(DOCTYPE_HTML_3_2
                  "<html><head><title>Balancer Manager</title></head>\n", r);
         ap_rputs("<body><h1>Load Balancer Manager for ", r);
-        ap_rvputs(r, ap_get_server_name(r), "</h1>\n\n", NULL);
+        ap_rvputs(r, ap_escape_html(r->pool, ap_get_server_name(r)),
+                  "</h1>\n\n", NULL);
         ap_rvputs(r, "<dl><dt>Server Version: ",
                   ap_get_server_description(), "</dt>\n", NULL);
         ap_rvputs(r, "<dt>Server Built: ",
@@ -864,7 +865,8 @@ static int balancer_handler(request_rec *r)
             worker = (proxy_worker *)balancer->workers->elts;
             for (n = 0; n < balancer->workers->nelts; n++) {
                 char fbuf[50];
-                ap_rvputs(r, "<tr>\n<td><a href=\"", r->uri, "?b=",
+                ap_rvputs(r, "<tr>\n<td><a href=\"",
+                          ap_escape_uri(r->pool, r->uri), "?b=",
                           balancer->name + sizeof("balancer://") - 1, "&w=",
                           ap_escape_uri(r->pool, worker->name),
                           "&nonce=", balancer_nonce, 
@@ -905,7 +907,7 @@ static int balancer_handler(request_rec *r)
             ap_rputs("<h3>Edit worker settings for ", r);
             ap_rvputs(r, wsel->name, "</h3>\n", NULL);
             ap_rvputs(r, "<form method=\"GET\" action=\"", NULL);
-            ap_rvputs(r, r->uri, "\">\n<dl>", NULL);
+            ap_rvputs(r, ap_escape_uri(r->pool, r->uri), "\">\n<dl>", NULL);
             ap_rputs("<table><tr><td>Load factor:</td><td><input name=\"lf\" type=text ", r);
             ap_rprintf(r, "value=\"%d\"></td></tr>\n", wsel->s->lbfactor);
             ap_rputs("<tr><td>LB Set:</td><td><input name=\"ls\" type=text ", r);
diff --git a/modules/proxy/mod_proxy_ftp.c b/modules/proxy/mod_proxy_ftp.c
index 924ac310178..489f5ea7b2f 100644
--- a/modules/proxy/mod_proxy_ftp.c
+++ b/modules/proxy/mod_proxy_ftp.c
@@ -365,7 +365,9 @@ static apr_status_t proxy_send_dir_filter(ap_filter_t *f,
                 " </head>\n"
                 " <body>\n  <h2>Directory of "
                 "<a href=\"/\">%s</a>/%s",
-                site, basedir, escpath, site, basedir, escpath, site, str);
+                ap_escape_html(p, site), basedir, escpath,
+                ap_escape_uri(p, site), basedir, escpath,
+                ap_escape_uri(p, site), str);
 
         APR_BRIGADE_INSERT_TAIL(out, apr_bucket_pool_create(str, strlen(str),
                                                           p, c->bucket_alloc));
-- 
2.47.2