From 9a16262b10e3deb770f778700d1159a9f6937f3d Mon Sep 17 00:00:00 2001 From: Joe Orton Date: Wed, 12 Dec 2007 14:11:30 +0000 Subject: [PATCH] Merge r603282 from trunk: Fix CVE-2007-5000: * modules/mappers/mod_imap.c (menu_header): Fix cross-site-scripting issue by escaping the URI, and ensure that a charset parameter is sent in the content-type to prevent autodetection by broken browsers. Reported by: JPCERT Reviewed by: jorton, rpluem, trawick git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.0.x@603619 13f79535-47bb-0310-9956-ffa450edef68 --- CHANGES | 3 +++ modules/mappers/mod_imap.c | 11 +++++++---- 2 files changed, 10 insertions(+), 4 deletions(-) diff --git a/CHANGES b/CHANGES index 2e8998fa6d3..f383f48231b 100644 --- a/CHANGES +++ b/CHANGES @@ -1,6 +1,9 @@ -*- coding: utf-8 -*- Changes with Apache 2.0.62 + *) SECURITY: CVE-2007-5000 (cve.mitre.org) + mod_imagemap: Fix a cross-site scripting issue. Reported by JPCERT. + [Joe Orton] Changes with Apache 2.0.61 diff --git a/modules/mappers/mod_imap.c b/modules/mappers/mod_imap.c index 0ae82c8baa7..f7745c650b8 100644 --- a/modules/mappers/mod_imap.c +++ b/modules/mappers/mod_imap.c @@ -479,13 +479,16 @@ static int imap_reply(request_rec *r, char *redirect) static void menu_header(request_rec *r, char *menu) { - ap_set_content_type(r, "text/html"); + ap_set_content_type(r, "text/html; charset=ISO-8859-1"); - ap_rvputs(r, DOCTYPE_HTML_3_2, "\nMenu for ", r->uri, - "\n\n", NULL); + ap_rvputs(r, DOCTYPE_HTML_3_2, "\nMenu for ", + ap_escape_html(r->pool, r->uri), + "\n\n", NULL); if (!strcasecmp(menu, "formatted")) { - ap_rvputs(r, "

Menu for ", r->uri, "

\n
\n\n", NULL); + ap_rvputs(r, "

Menu for ", + ap_escape_html(r->pool, r->uri), + "

\n
\n\n", NULL); } return; -- 2.47.2