Commit 50f7a475 authored by Sander Temme's avatar Sander Temme
Browse files

Backport mod_status refresh parameter saniziting patch. 


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/1.3.x@609486 13f79535-47bb-0310-9956-ffa450edef68
parent d74e056d

STATUS

+0 −10
Original line number Diff line number Diff line
@@ -56,16 +56,6 @@ Release: 


RELEASE SHOWSTOPPERS:



   *) SECURITY: CVE-2007-6388 (cve.mitre.org)

      mod_status: Ensure refresh parameter is numeric to prevent

      a possible XSS attack caused by redirecting to other URLs.

      Reported by SecurityReason.  [Mark Cox]

      Trunk version of patch: 

        http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/generators/mod_status.c?r1=590641&r2=607873

      1.3 version of patch attached to: 

        http://mail-archives.apache.org/mod_mbox/httpd-dev/200801.mbox/%3c47813C93.4020507@apache.org%3e

      +1: sctemme (with fuankg's change of default refresh time to 10 seconds in r607873), rpluem (as well +1 to secs), fuankg



PROPOSED PATCHES FOR THIS RELEASE:



   *) mod_rewrite on Win32: change the mutex mechanism for RewriteLog

src/CHANGES

+4 −0
Original line number Diff line number Diff line 
Changes with Apache 1.3.41



  *) SECURITY: CVE-2007-6388 (cve.mitre.org)

     mod_status: Ensure refresh parameter is numeric to prevent

     a possible XSS attack caused by redirecting to other URLs.

     Reported by SecurityReason.  [Mark Cox]



Changes with Apache 1.3.40

src/modules/standard/mod_status.c

+9 −11
Original line number Diff line number Diff line
@@ -232,17 +232,15 @@ static int status_handler(request_rec *r) 
	while (status_options[i].id != STAT_OPT_END) {

	    if ((loc = strstr(r->args, status_options[i].form_data_str)) != NULL) {

		switch (status_options[i].id) {

		case STAT_OPT_REFRESH:

		    if (*(loc + strlen(status_options[i].form_data_str)) == '='

                        && atol(loc + strlen(status_options[i].form_data_str) 

                                    + 1) > 0)

                case STAT_OPT_REFRESH: {

                    long refreshtime = 0;

                    if (*(loc + strlen(status_options[i].form_data_str)) == '=')

                        refreshtime = atol(loc + strlen(status_options[i].form_data_str)+1);

                    ap_table_set(r->headers_out,

                                 status_options[i].hdr_out_str,

			      loc + strlen(status_options[i].hdr_out_str) + 1);

		    else

			ap_table_set(r->headers_out,

			      status_options[i].hdr_out_str, "1");

                                 ap_psprintf(r->pool,"%ld",(refreshtime<1)?10:refreshtime));

                    break;

                }

		case STAT_OPT_NOTABLE:

		    no_table_report = 1;

		    break;