SECURITY: CVE-2012-2687 (cve.mitre.org):
mod_negotiation: Escape filenames in variant list to prevent an
possible XSS for a site where untrusted users can upload files to a
location with MultiViews enabled.
* modules/mappers/mod_negotiation.c (make_variant_list): Escape
filenames in variant list.
Submitted by: Niels Heinen <heinenn google.com>
Reviewed by: covener, jorton, sf
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@
1356889 13f79535-47bb-0310-9956-
ffa450edef68
Changes with Apache 2.4.3
+ *) SECURITY: CVE-2012-2687 (cve.mitre.org)
+ mod_negotiation: Escape filenames in variant list to prevent an
+ possible XSS for a site where untrusted users can upload files to
+ a location with MultiViews enabled. [Niels Heinen <heinenn google.com>]
+
*) htdbm, htpasswd: Don't crash if crypt() fails (e.g. with FIPS enabled).
[Paul Wouters <pwouters redhat.com>, Joe Orton]
PATCHES ACCEPTED TO BACKPORT FROM TRUNK:
[ start all new proposals below, under PATCHES PROPOSED. ]
- * mod_negotiation: CVE-2012-2687 XSS in mod_negotiation
- trunk patch: http://svn.apache.org/viewvc?view=revision&revision=1349905
- 2.4.x patch: trunk works
- +1: covener, jorton, sf
-
PATCHES PROPOSED TO BACKPORT FROM TRUNK:
[ New proposals should be added at the end of the list ]
* need to change the calculation of max_vlist_array above.
*/
*((const char **) apr_array_push(arr)) = "<li><a href=\"";
- *((const char **) apr_array_push(arr)) = filename;
+ *((const char **) apr_array_push(arr)) = ap_escape_path_segment(r->pool, filename);
*((const char **) apr_array_push(arr)) = "\">";
- *((const char **) apr_array_push(arr)) = filename;
+ *((const char **) apr_array_push(arr)) = ap_escape_html(r->pool, filename);
*((const char **) apr_array_push(arr)) = "</a> ";
*((const char **) apr_array_push(arr)) = description;
projects / apache / commitdiff