#
# *) SECURITY: [CAN-2002-0840] HTML-escape the address produced by
# ap_server_signature() against this cross-site scripting
# vulnerability exposed by the directive 'UseCanonicalName Off'.
# Also HTML-escape the SERVER_NAME environment variable for CGI
# and SSI requests. It's safe to escape as only the '<', '>',
# and '&' characters are affected, which won't appear in a valid
# hostname. Reported by Matthew Murphy .
# [Brian Pane ]
#
Index: server/core.c
===================================================================
RCS file: /home/cvs/httpd-2.0/server/core.c,v
retrieving revision 1.205
diff -u -r1.205 core.c
--- server/core.c 16 Sep 2002 13:11:55 -0000 1.205
+++ server/core.c 21 Sep 2002 17:22:11 -0000
@@ -2240,12 +2240,15 @@
return apr_pstrcat(r->pool, prefix, "" AP_SERVER_BASEVERSION
" Server at server->server_admin, "\">",
- ap_get_server_name(r), " Port ", sport,
+ ap_escape_html(r->pool, ap_get_server_name(r)),
+ " Port ", sport,
"\n", NULL);
}
return apr_pstrcat(r->pool, prefix, "" AP_SERVER_BASEVERSION
- " Server at ", ap_get_server_name(r), " Port ", sport,
+ " Server at ",
+ ap_escape_html(r->pool, ap_get_server_name(r)),
+ " Port ", sport,
"\n", NULL);
}
Index: server/util_script.c
===================================================================
RCS file: /home/cvs/httpd-2.0/server/util_script.c,v
retrieving revision 1.79
diff -u -r1.79 util_script.c
--- server/util_script.c 23 Jun 2002 06:15:03 -0000 1.79
+++ server/util_script.c 21 Sep 2002 17:22:11 -0000
@@ -266,7 +266,8 @@
apr_table_addn(e, "SERVER_SIGNATURE", ap_psignature("", r));
apr_table_addn(e, "SERVER_SOFTWARE", ap_get_server_version());
- apr_table_addn(e, "SERVER_NAME", ap_get_server_name(r));
+ apr_table_addn(e, "SERVER_NAME",
+ ap_escape_html(r->pool, ap_get_server_name(r)));
apr_table_addn(e, "SERVER_ADDR", r->connection->local_ip); /* Apache */
apr_table_addn(e, "SERVER_PORT",
apr_psprintf(r->pool, "%u", ap_get_server_port(r)));