From 14e37944f999e75071e35681b64c4b7dd293ed9d Mon Sep 17 00:00:00 2001
From: Ruediger Pluem <rpluem@apache.org>
Date: Tue, 5 Aug 2008 19:00:04 +0000
Subject: [PATCH] * Prevent XSS attacks when using wildcards in the path of the
 FTP URL   (CVE-2008-2939). Discovered by Marc Bevand of Rapid7.

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@682868 13f79535-47bb-0310-9956-ffa450edef68
---
 modules/proxy/mod_proxy_ftp.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/modules/proxy/mod_proxy_ftp.c b/modules/proxy/mod_proxy_ftp.c
index e2350f4768..31a9ae3de9 100644
--- a/modules/proxy/mod_proxy_ftp.c
+++ b/modules/proxy/mod_proxy_ftp.c
@@ -390,6 +390,7 @@ static apr_status_t proxy_send_dir_filter(ap_filter_t *f,
                                                            c->bucket_alloc));
         }
         if (wildcard != NULL) {
+            wildcard = ap_escape_html(p, wildcard);
             APR_BRIGADE_INSERT_TAIL(out, apr_bucket_pool_create(wildcard,
                                                            strlen(wildcard), p,
                                                            c->bucket_alloc));
-- 
2.50.1