Commit a172c1dc authored by Joe Orton's avatar Joe Orton
Browse files

Fix CVE-2007-5000: 

* src/modules/standard/mod_imap.c (menu_header): Fix cross-site
  scripting issue by escaping the URI, and ensure that a charset
  parameter is sent in the content-type to prevent autodetection by
  broken browsers.

Reported by: JPCERT


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/1.3.x@603597 13f79535-47bb-0310-9956-ffa450edef68
parent e8485491

src/CHANGES

+4 −0
Original line number Diff line number Diff line 
Changes with Apache 1.3.40



  *) SECURITY: CVE-2007-5000 (cve.mitre.org)

     mod_imap: Fix cross-site scripting issue.  Reported by JPCERT.

    [Joe Orton]



  *) SECURITY: CVE-2007-3847 (cve.mitre.org)

     mod_proxy: Prevent reading past the end of a buffer when parsing

     date-related headers.  PR 41144.

src/modules/standard/mod_imap.c

+6 −4
Original line number Diff line number Diff line
@@ -463,7 +463,7 @@ static int imap_reply(request_rec *r, char *redirect) 


static void menu_header(request_rec *r, char *menu)

{

    r->content_type = "text/html";

    r->content_type = "text/html; charset=ISO-8859-1";

    ap_send_http_header(r);

#ifdef CHARSET_EBCDIC

    /* Server-generated response, converted */
@@ -471,11 +471,13 @@ static void menu_header(request_rec *r, char *menu) 
#endif

    ap_hard_timeout("send menu", r);       /* killed in menu_footer */



    ap_rvputs(r, DOCTYPE_HTML_3_2, "<html><head>\n<title>Menu for ", r->uri,

    ap_rvputs(r, DOCTYPE_HTML_3_2, "<html><head>\n<title>Menu for ", 

              ap_escape_html(r->pool, r->uri),

              "</title>\n</head><body>\n", NULL);



    if (!strcasecmp(menu, "formatted")) {

        ap_rvputs(r, "<h1>Menu for ", r->uri, "</h1>\n<hr>\n\n", NULL);

        ap_rvputs(r, "<h1>Menu for ", ap_escape_html(r->pool, r->uri),

                  "</h1>\n<hr>\n\n", NULL);

    }



    return;