From dd121d2581e3776aff62839c8d022a42cf9ed7da Mon Sep 17 00:00:00 2001 From: Ruediger Pluem Date: Sun, 10 May 2009 15:11:46 +0000 Subject: [PATCH] Merge r752812 from trunk: * Escape pathes of filenames in 406 responses to avoid HTML injections and HTTP response splitting. PR: 46837 Submitted by: Geoff Keating Reviewed by: rpluem, jim, wrowe git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.2.x@773354 13f79535-47bb-0310-9956-ffa450edef68 --- CHANGES | 4 ++++ STATUS | 9 --------- modules/mappers/mod_negotiation.c | 4 ++-- 3 files changed, 6 insertions(+), 11 deletions(-) diff --git a/CHANGES b/CHANGES index b2bbb37ea9c..66edc645d4e 100644 --- a/CHANGES +++ b/CHANGES @@ -5,6 +5,10 @@ Changes with Apache 2.2.12 mod_proxy_ajp: Avoid delivering content from a previous request which failed to send a request body. PR 46949 [Ruediger Pluem] + *) mod_negotiation: Escape pathes of filenames in 406 responses to avoid + HTML injections and HTTP response splitting. PR 46837. + [Geoff Keating ] + *) mod_include: Prevent a case of SSI timefmt-smashing with filter chains including multiple INCLUDES filters. PR 39369 [Joe Orton] diff --git a/STATUS b/STATUS index 5a0a19afe5f..26c76dc5ab8 100644 --- a/STATUS +++ b/STATUS @@ -87,15 +87,6 @@ RELEASE SHOWSTOPPERS: PATCHES ACCEPTED TO BACKPORT FROM TRUNK: [ start all new proposals below, under PATCHES PROPOSED. ] - * mod_negotiation: Escape pathes of filenames in 406 responses to avoid - HTML injections and HTTP response splitting - Trunk version of patch: - http://svn.apache.org/viewvc?rev=752812&view=rev - Backport version for 2.2.x of patch: - Trunk version of patch works - +1: rpluem, jim, wrowe - - PATCHES PROPOSED TO BACKPORT FROM TRUNK: [ New proposals should be added at the end of the list ] diff --git a/modules/mappers/mod_negotiation.c b/modules/mappers/mod_negotiation.c index c9fff1e5e54..a9c6bc9e31f 100644 --- a/modules/mappers/mod_negotiation.c +++ b/modules/mappers/mod_negotiation.c @@ -2530,7 +2530,7 @@ static void set_neg_headers(request_rec *r, negotiation_state *neg, /* Generate the string components for this Alternates entry */ *((const char **) apr_array_push(arr)) = "{\""; - *((const char **) apr_array_push(arr)) = variant->file_name; + *((const char **) apr_array_push(arr)) = ap_escape_path_segment(r->pool, variant->file_name); *((const char **) apr_array_push(arr)) = "\" "; qstr = (char *) apr_palloc(r->pool, 6); @@ -2804,7 +2804,7 @@ static int setup_choice_response(request_rec *r, negotiation_state *neg, } apr_table_setn(r->err_headers_out, "Content-Location", - apr_pstrdup(r->pool, variant->file_name)); + ap_escape_path_segment(r->pool, variant->file_name)); set_neg_headers(r, neg, alg_choice); /* add Alternates and Vary */ -- 2.47.2