From 8e6437a2d3a2e4ce38382ff295653f0fdb9dd939 Mon Sep 17 00:00:00 2001
From: Joe Orton <jorton@apache.org>
Date: Wed, 12 Dec 2007 12:36:54 +0000
Subject: [PATCH] Fix CVE-2007-5000:

* src/modules/standard/mod_imap.c (menu_header): Fix cross-site
  scripting issue by escaping the URI, and ensure that a charset
  parameter is sent in the content-type to prevent autodetection by
  broken browsers.

Reported by: JPCERT


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/1.3.x@603597 13f79535-47bb-0310-9956-ffa450edef68
---
 src/CHANGES                     |  4 ++++
 src/modules/standard/mod_imap.c | 10 ++++++----
 2 files changed, 10 insertions(+), 4 deletions(-)

diff --git a/src/CHANGES b/src/CHANGES
index 5d8f71509d0..876990db1cd 100644
--- a/src/CHANGES
+++ b/src/CHANGES
@@ -1,5 +1,9 @@
 Changes with Apache 1.3.40
 
+  *) SECURITY: CVE-2007-5000 (cve.mitre.org)
+     mod_imap: Fix cross-site scripting issue.  Reported by JPCERT.
+    [Joe Orton]
+
   *) SECURITY: CVE-2007-3847 (cve.mitre.org)
      mod_proxy: Prevent reading past the end of a buffer when parsing
      date-related headers.  PR 41144.
diff --git a/src/modules/standard/mod_imap.c b/src/modules/standard/mod_imap.c
index fc9e1b455e8..ff2d2848e12 100644
--- a/src/modules/standard/mod_imap.c
+++ b/src/modules/standard/mod_imap.c
@@ -463,7 +463,7 @@ static int imap_reply(request_rec *r, char *redirect)
 
 static void menu_header(request_rec *r, char *menu)
 {
-    r->content_type = "text/html";
+    r->content_type = "text/html; charset=ISO-8859-1";
     ap_send_http_header(r);
 #ifdef CHARSET_EBCDIC
     /* Server-generated response, converted */
@@ -471,11 +471,13 @@ static void menu_header(request_rec *r, char *menu)
 #endif
     ap_hard_timeout("send menu", r);       /* killed in menu_footer */
 
-    ap_rvputs(r, DOCTYPE_HTML_3_2, "<html><head>\n<title>Menu for ", r->uri,
-           "</title>\n</head><body>\n", NULL);
+    ap_rvputs(r, DOCTYPE_HTML_3_2, "<html><head>\n<title>Menu for ", 
+              ap_escape_html(r->pool, r->uri),
+              "</title>\n</head><body>\n", NULL);
 
     if (!strcasecmp(menu, "formatted")) {
-        ap_rvputs(r, "<h1>Menu for ", r->uri, "</h1>\n<hr>\n\n", NULL);
+        ap_rvputs(r, "<h1>Menu for ", ap_escape_html(r->pool, r->uri),
+                  "</h1>\n<hr>\n\n", NULL);
     }
 
     return;
-- 
2.47.2