From: Stefan Fritsch Date: Tue, 3 Jul 2012 19:44:22 +0000 (+0000) Subject: Merge r1349905: X-Git-Tag: 2.4.3~346 X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=8289f720d38fb918426bc8aeaf953dba85b795ed;p=apache Merge r1349905: SECURITY: CVE-2012-2687 (cve.mitre.org): mod_negotiation: Escape filenames in variant list to prevent an possible XSS for a site where untrusted users can upload files to a location with MultiViews enabled. * modules/mappers/mod_negotiation.c (make_variant_list): Escape filenames in variant list. Submitted by: Niels Heinen Reviewed by: covener, jorton, sf git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1356889 13f79535-47bb-0310-9956-ffa450edef68 --- diff --git a/CHANGES b/CHANGES index 1d1b871754..94df531e82 100644 --- a/CHANGES +++ b/CHANGES @@ -3,6 +3,11 @@ Changes with Apache 2.4.3 + *) SECURITY: CVE-2012-2687 (cve.mitre.org) + mod_negotiation: Escape filenames in variant list to prevent an + possible XSS for a site where untrusted users can upload files to + a location with MultiViews enabled. [Niels Heinen ] + *) htdbm, htpasswd: Don't crash if crypt() fails (e.g. with FIPS enabled). [Paul Wouters , Joe Orton] diff --git a/STATUS b/STATUS index 03fd5462e5..09bbbf7c32 100644 --- a/STATUS +++ b/STATUS @@ -88,11 +88,6 @@ RELEASE SHOWSTOPPERS: PATCHES ACCEPTED TO BACKPORT FROM TRUNK: [ start all new proposals below, under PATCHES PROPOSED. ] - * mod_negotiation: CVE-2012-2687 XSS in mod_negotiation - trunk patch: http://svn.apache.org/viewvc?view=revision&revision=1349905 - 2.4.x patch: trunk works - +1: covener, jorton, sf - PATCHES PROPOSED TO BACKPORT FROM TRUNK: [ New proposals should be added at the end of the list ] diff --git a/modules/mappers/mod_negotiation.c b/modules/mappers/mod_negotiation.c index cba118c611..5f3232b8a5 100644 --- a/modules/mappers/mod_negotiation.c +++ b/modules/mappers/mod_negotiation.c @@ -2656,9 +2656,9 @@ static char *make_variant_list(request_rec *r, negotiation_state *neg) * need to change the calculation of max_vlist_array above. */ *((const char **) apr_array_push(arr)) = "
  • pool, filename); *((const char **) apr_array_push(arr)) = "\">"; - *((const char **) apr_array_push(arr)) = filename; + *((const char **) apr_array_push(arr)) = ap_escape_html(r->pool, filename); *((const char **) apr_array_push(arr)) = " "; *((const char **) apr_array_push(arr)) = description;