From: William A. Rowe Jr Date: Wed, 2 Oct 2002 21:35:57 +0000 (+0000) Subject: *) SECURITY: [CAN-2002-0840] HTML-escape the address produced by X-Git-Tag: 2.0.43~1 X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=01b99447729a3d43891997806106be6bec3637ff;p=apache *) SECURITY: [CAN-2002-0840] HTML-escape the address produced by ap_server_signature() against this cross-site scripting vulnerability exposed by the directive 'UseCanonicalName Off'. Also HTML-escape the SERVER_NAME environment variable for CGI and SSI requests. It's safe to escape as only the '<', '>', and '&' characters are affected, which won't appear in a valid hostname. Reported by Matthew Murphy . [Brian Pane] git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@97064 13f79535-47bb-0310-9956-ffa450edef68 --- diff --git a/CHANGES b/CHANGES index 83b39ca091..5577012a1c 100644 --- a/CHANGES +++ b/CHANGES @@ -1,5 +1,14 @@ Changes with Apache 2.0.43 + *) SECURITY: [CAN-2002-0840] HTML-escape the address produced by + ap_server_signature() against this cross-site scripting + vulnerability exposed by the directive 'UseCanonicalName Off'. + Also HTML-escape the SERVER_NAME environment variable for CGI + and SSI requests. It's safe to escape as only the '<', '>', + and '&' characters are affected, which won't appear in a valid + hostname. Reported by Matthew Murphy . + [Brian Pane] + *) Fix a core dump in mod_cache when it attemtped to store uncopyable buckets. This happened, for instance, when a file to be cached contained SSI tags to execute a CGI script (passed as a pipe @@ -14,8 +23,8 @@ Changes with Apache 2.0.43 could lead to an infinite loop. PR 12705 [amund.elstad@ergo.no (Amund Elstad), Jeff Trawick] - *) Allow POST requests and CGI scripts to work when DAV is enabled - on the location. [Ryan Bloom] + *) SECURITY: Allow POST requests and CGI scripts to work when DAV + is enabled on the location. [Ryan Bloom] *) Allow the UserDir directive to accept a list of directories. This matches what Apache 1.3 does. Also add documentation for diff --git a/server/core.c b/server/core.c index 1d49f656ae..72925533a1 100644 --- a/server/core.c +++ b/server/core.c @@ -2240,12 +2240,15 @@ AP_DECLARE(const char *) ap_psignature(const char *prefix, request_rec *r) return apr_pstrcat(r->pool, prefix, "
" AP_SERVER_BASEVERSION " Server at server->server_admin, "\">", - ap_get_server_name(r), " Port ", sport, + ap_escape_html(r->pool, ap_get_server_name(r)), + " Port ", sport, "
\n", NULL); } return apr_pstrcat(r->pool, prefix, "
" AP_SERVER_BASEVERSION - " Server at ", ap_get_server_name(r), " Port ", sport, + " Server at ", + ap_escape_html(r->pool, ap_get_server_name(r)), + " Port ", sport, "
\n", NULL); } diff --git a/server/util_script.c b/server/util_script.c index 00bd6ffd9f..75fd781350 100644 --- a/server/util_script.c +++ b/server/util_script.c @@ -266,7 +266,8 @@ AP_DECLARE(void) ap_add_common_vars(request_rec *r) apr_table_addn(e, "SERVER_SIGNATURE", ap_psignature("", r)); apr_table_addn(e, "SERVER_SOFTWARE", ap_get_server_version()); - apr_table_addn(e, "SERVER_NAME", ap_get_server_name(r)); + apr_table_addn(e, "SERVER_NAME", + ap_escape_html(r->pool, ap_get_server_name(r))); apr_table_addn(e, "SERVER_ADDR", r->connection->local_ip); /* Apache */ apr_table_addn(e, "SERVER_PORT", apr_psprintf(r->pool, "%u", ap_get_server_port(r)));