ap_server_signature() against this cross-site scripting
vulnerability exposed by the directive 'UseCanonicalName Off'.
Also HTML-escape the SERVER_NAME environment variable for CGI
and SSI requests. It's safe to escape as only the '<', '>',
and '&' characters are affected, which won't appear in a valid
hostname. Reported by Matthew Murphy <mattmurphy@kc.rr.com>.
[Brian Pane]
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@97064
13f79535-47bb-0310-9956-
ffa450edef68
Changes with Apache 2.0.43
+ *) SECURITY: [CAN-2002-0840] HTML-escape the address produced by
+ ap_server_signature() against this cross-site scripting
+ vulnerability exposed by the directive 'UseCanonicalName Off'.
+ Also HTML-escape the SERVER_NAME environment variable for CGI
+ and SSI requests. It's safe to escape as only the '<', '>',
+ and '&' characters are affected, which won't appear in a valid
+ hostname. Reported by Matthew Murphy <mattmurphy@kc.rr.com>.
+ [Brian Pane]
+
*) Fix a core dump in mod_cache when it attemtped to store uncopyable
buckets. This happened, for instance, when a file to be cached
contained SSI tags to execute a CGI script (passed as a pipe
could lead to an infinite loop. PR 12705
[amund.elstad@ergo.no (Amund Elstad), Jeff Trawick]
- *) Allow POST requests and CGI scripts to work when DAV is enabled
- on the location. [Ryan Bloom]
+ *) SECURITY: Allow POST requests and CGI scripts to work when DAV
+ is enabled on the location. [Ryan Bloom]
*) Allow the UserDir directive to accept a list of directories.
This matches what Apache 1.3 does. Also add documentation for
return apr_pstrcat(r->pool, prefix, "<address>" AP_SERVER_BASEVERSION
" Server at <a href=\"mailto:",
r->server->server_admin, "\">",
- ap_get_server_name(r), "</a> Port ", sport,
+ ap_escape_html(r->pool, ap_get_server_name(r)),
+ "</a> Port ", sport,
"</address>\n", NULL);
}
return apr_pstrcat(r->pool, prefix, "<address>" AP_SERVER_BASEVERSION
- " Server at ", ap_get_server_name(r), " Port ", sport,
+ " Server at ",
+ ap_escape_html(r->pool, ap_get_server_name(r)),
+ " Port ", sport,
"</address>\n", NULL);
}
apr_table_addn(e, "SERVER_SIGNATURE", ap_psignature("", r));
apr_table_addn(e, "SERVER_SOFTWARE", ap_get_server_version());
- apr_table_addn(e, "SERVER_NAME", ap_get_server_name(r));
+ apr_table_addn(e, "SERVER_NAME",
+ ap_escape_html(r->pool, ap_get_server_name(r)));
apr_table_addn(e, "SERVER_ADDR", r->connection->local_ip); /* Apache */
apr_table_addn(e, "SERVER_PORT",
apr_psprintf(r->pool, "%u", ap_get_server_port(r)));