Commit 061b9fa2 authored by Sander Temme's avatar Sander Temme
Browse files

Propose backport of refresh parameter input sanitizing patch. 


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/1.3.x@609410 13f79535-47bb-0310-9956-ffa450edef68
parent 8753e829

STATUS

+10 −0
Original line number Diff line number Diff line
@@ -56,6 +56,16 @@ Release: 


RELEASE SHOWSTOPPERS:



   *) SECURITY: CVE-2007-6388 (cve.mitre.org)

      mod_status: Ensure refresh parameter is numeric to prevent

      a possible XSS attack caused by redirecting to other URLs.

      Reported by SecurityReason.  [Mark Cox]

      Trunk version of patch: 

        http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/generators/mod_status.c?r1=590641&r2=607873

      1.3 version of patch attached to: 

        http://mail-archives.apache.org/mod_mbox/httpd-dev/200801.mbox/%3c47813C93.4020507@apache.org%3e

      +1: sctemme (with fuankg's change of default refresh time to 10 seconds in r607873)



PROPOSED PATCHES FOR THIS RELEASE:



   *) mod_rewrite on Win32: change the mutex mechanism for RewriteLog