* Escape pathes of filenames in 406 responses to avoid HTML injections and

  HTTP response splitting.

PR: 46837
Submitted by: Geoff Keating <geoffk apple.com>
Reviewed by: rpluem

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@752812 13f79535-47bb-0310-9956-ffa450edef68

diff --git a/CHANGES b/CHANGES
index cb9028c29cdd3b0a9ed1becddd8d948134fed355..b8ae180508d7eb430801045107567675956de7c0 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -1,6 +1,10 @@
                                                         -*- coding: utf-8 -*-
 Changes with Apache 2.3.2
 
+  *) mod_negotiation: Escape pathes of filenames in 406 responses to avoid
+     HTML injections and HTTP response splitting.  PR 46837.
+     [Geoff Keating <geoffk apple.com>]
+
   *) mod_ssl: add support for type-safe STACK constructs in OpenSSL
      development HEAD.  PR 45521.  [Kaspar Brand, Sander Temme]
 

diff --git a/modules/mappers/mod_negotiation.c b/modules/mappers/mod_negotiation.c
index 923cc050293541c47c35be8a454c70620fe4cf20..976c598e740ae5f8bb6a44f4c48fd6d453476fe0 100644 (file)
--- a/modules/mappers/mod_negotiation.c
+++ b/modules/mappers/mod_negotiation.c
@@ -2530,7 +2530,7 @@ static void set_neg_headers(request_rec *r, negotiation_state *neg,
         /* Generate the string components for this Alternates entry */
 
         *((const char **) apr_array_push(arr)) = "{\"";
-        *((const char **) apr_array_push(arr)) = variant->file_name;
+        *((const char **) apr_array_push(arr)) = ap_escape_path_segment(r->pool, variant->file_name);
         *((const char **) apr_array_push(arr)) = "\" ";
 
         qstr = (char *) apr_palloc(r->pool, 6);
@@ -2804,7 +2804,7 @@ static int setup_choice_response(request_rec *r, negotiation_state *neg,
     }
 
     apr_table_setn(r->err_headers_out, "Content-Location",
-                  apr_pstrdup(r->pool, variant->file_name));
+                  ap_escape_path_segment(r->pool, variant->file_name));
 
     set_neg_headers(r, neg, alg_choice);         /* add Alternates and Vary */