From f17e7e5e1094c44848f3f37a8cf4517985f4f7f1 Mon Sep 17 00:00:00 2001
From: Ruediger Pluem <rpluem@apache.org>
Date: Fri, 16 May 2014 18:54:19 +0000
Subject: [PATCH] * Correctly escape user provided data.

PR: 56532
Submitted by: Maksymilian <max cert.cx>
Reviewed by: rpluem


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1595305 13f79535-47bb-0310-9956-ffa450edef68
---
 CHANGES                            | 11 +++++++----
 modules/proxy/mod_proxy_balancer.c |  2 +-
 2 files changed, 8 insertions(+), 5 deletions(-)

diff --git a/CHANGES b/CHANGES
index 7a1601222f..e87e784ab6 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,18 +1,21 @@
                                                          -*- coding: utf-8 -*-
 Changes with Apache 2.5.0
-  
+
+  *) mod_proxy_balancer: Correctly encode user provided data in management
+     interface. PR 56532 [Maksymilian, <max cert.cx>]
+
   *) mod_proxy_wstunnel: Fix the use of SSL connections with the "wss:"
      scheme. PR55320. [Alex Liu <alex.leo.ca gmail.com>]
- 
+
   *) core: Add ap_mpm_resume_suspended() API to allow a suspended connection
      to resume. PR56333 
      [Artem <artemciy gmail.com>, Edward Lu <Chaosed0 gmail.com>]
- 
+
   *) core: Add ap_mpm_register_socket_callback_timeout() API. [Eric Covener]
 
   *) mod_proxy_wstunnel: Honor ProxyWebsocketIdleTimeout in asynchronous
      processing mode. [Eric Covener]
- 
+
   *) mod_proxy_fcgi: Fix occasional high CPU when handling request bodies.
      [Jeff Trawick]
 
diff --git a/modules/proxy/mod_proxy_balancer.c b/modules/proxy/mod_proxy_balancer.c
index c927d3bf6e..acfd3861de 100644
--- a/modules/proxy/mod_proxy_balancer.c
+++ b/modules/proxy/mod_proxy_balancer.c
@@ -1602,7 +1602,7 @@ static int balancer_handler(request_rec *r)
             ap_rputs("<h3>Edit balancer settings for ", r);
             ap_rvputs(r, bsel->s->name, "</h3>\n", NULL);
             ap_rputs("<form method='POST' enctype='application/x-www-form-urlencoded' action='", r);
-            ap_rvputs(r, action, "'>\n", NULL);
+            ap_rvputs(r, ap_escape_uri(r->pool, action), "'>\n", NULL);
             ap_rputs("<dl>\n<table>\n", r);
             provs = ap_list_provider_names(r->pool, PROXY_LBMETHOD, "0");
             if (provs) {
-- 
2.40.0