From d6ec62de48a81c1e9e66e44133102898e177fce1 Mon Sep 17 00:00:00 2001 From: Ruediger Pluem Date: Sat, 29 Dec 2007 09:39:23 +0000 Subject: [PATCH] Merge r607282 from trunk: * Ensure refresh parameter is numeric to prevent a possible XSS attack caused by redirecting to other URLs. Reported by SecurityReason. Submitted by: Mark Cox, Joe Orton Reviewed by: rpluem, wrowe, jorton git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.2.x@607408 13f79535-47bb-0310-9956-ffa450edef68 --- CHANGES | 7 ++++++- STATUS | 8 -------- modules/generators/mod_status.c | 24 ++++++++++++------------ 3 files changed, 18 insertions(+), 21 deletions(-) diff --git a/CHANGES b/CHANGES index aa043e13a2f..e98515cb435 100644 --- a/CHANGES +++ b/CHANGES @@ -1,9 +1,14 @@ -*- coding: utf-8 -*- Changes with Apache 2.2.7 + *) SECURITY: CVE-2007-6388 (cve.mitre.org) + mod_status: Ensure refresh parameter is numeric to prevent + a possible XSS attack caused by redirecting to other URLs. + Reported by SecurityReason. [Mark Cox, Joe Orton] + *) SECURITY: CVE-2007-5000 (cve.mitre.org) mod_imagemap: Fix a cross-site scripting issue. Reported by JPCERT. - [Joe Orton] + [Joe Orton] *) http_protocol: Escape request method in 405 error reporting. This has no security impact since the browser cannot be tricked diff --git a/STATUS b/STATUS index d9832ad4ed2..1a1c4761ba9 100644 --- a/STATUS +++ b/STATUS @@ -112,14 +112,6 @@ RELEASE SHOWSTOPPERS: PATCHES ACCEPTED TO BACKPORT FROM TRUNK: [ start all new proposals below, under PATCHES PROPOSED. ] - * mod_status: Ensure refresh parameter is numeric to prevent a possible XSS - attack caused by redirecting to other URLs. - Trunk version of patch: - http://svn.apache.org/viewvc?rev=607282&view=rev - Backport version for 2.0.x of patch: - http://awe.com/e8f6ad05238f8/CVE-2007-6388-httpd-2.x.patch - +1: rpluem, wrowe, jorton - PATCHES PROPOSED TO BACKPORT FROM TRUNK: [ New proposals should be added at the end of the list ] diff --git a/modules/generators/mod_status.c b/modules/generators/mod_status.c index 99287e09f75..691dd075c1f 100644 --- a/modules/generators/mod_status.c +++ b/modules/generators/mod_status.c @@ -71,6 +71,7 @@ #endif #define APR_WANT_STRFUNC #include "apr_want.h" +#include "apr_strings.h" #ifdef NEXT #if (NX_CURRENT_COMPILER_RELEASE == 410) @@ -296,19 +297,18 @@ static int status_handler(request_rec *r) if ((loc = ap_strstr_c(r->args, status_options[i].form_data_str)) != NULL) { switch (status_options[i].id) { - case STAT_OPT_REFRESH: - if (*(loc + strlen(status_options[i].form_data_str)) == '=' - && atol(loc + strlen(status_options[i].form_data_str) - + 1) > 0) - apr_table_set(r->headers_out, - status_options[i].hdr_out_str, - loc + - strlen(status_options[i].hdr_out_str) + - 1); - else - apr_table_set(r->headers_out, - status_options[i].hdr_out_str, "1"); + case STAT_OPT_REFRESH: { + apr_size_t len = strlen(status_options[i].form_data_str); + long t = 0; + + if (*(loc + len ) == '=') { + t = atol(loc + len + 1); + } + apr_table_set(r->headers_out, + status_options[i].hdr_out_str, + apr_ltoa(r->pool, t < 1 ? 1 : t)); break; + } case STAT_OPT_NOTABLE: no_table_report = 1; break; -- 2.47.2