diff options
| author | Stefan Fritsch <sf@sfritsch.de> | 2012-09-08 00:41:31 +0200 |
|---|---|---|
| committer | Stefan Fritsch <sf@sfritsch.de> | 2012-09-08 00:41:31 +0200 |
| commit | d52b91fc66df864fc02278929125019240955ba5 (patch) | |
| tree | c1651fa8682af9a591c2855ccfdd74fe1e3ed3a4 | |
| parent | 71849f7217cf0153d2fad36cf5c995b5967a58a3 (diff) | |
| download | apache2-d52b91fc66df864fc02278929125019240955ba5.tar.gz | |
Fix CVE-2012-2687 in mod_negotiation
| -rw-r--r-- | debian/changelog | 3 | ||||
| -rw-r--r-- | debian/patches/00list | 1 | ||||
| -rwxr-xr-x | debian/patches/097_CVE-2012-2687.dpatch | 20 |
3 files changed, 24 insertions, 0 deletions
diff --git a/debian/changelog b/debian/changelog index 3a2e9625..f3b80349 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,5 +1,8 @@ apache2 (2.2.16-6+squeeze8) UNRELEASED; urgency=low + * CVE-2012-2687: mod_negotiation: Escape filenames in variant list to + prevent a possible XSS vulnerability for a site where untrusted users + can upload files to a location with MultiViews enabled. * Send 408 status instead of 400 if reading of a request fails with a timeout. This allows browsers to retry. Closes: #677086 * mod_cache: Prevent Partial Content responses from being cached and served diff --git a/debian/patches/00list b/debian/patches/00list index 733e8044..4ec2917d 100644 --- a/debian/patches/00list +++ b/debian/patches/00list @@ -38,6 +38,7 @@ 094_CVE-2012-0053.dpatch 095_send_408_status.dpatch 096_mod_cache_partial_content-2.2.x.dpatch +097_CVE-2012-2687.dpatch 099_config_guess_sub_update 200_cp_suexec.dpatch 201_build_suexec-custom.dpatch diff --git a/debian/patches/097_CVE-2012-2687.dpatch b/debian/patches/097_CVE-2012-2687.dpatch new file mode 100755 index 00000000..ba3c84b4 --- /dev/null +++ b/debian/patches/097_CVE-2012-2687.dpatch @@ -0,0 +1,20 @@ +#! /bin/sh /usr/share/dpatch/dpatch-run +## All lines beginning with `## DP:' are a description of the patch. +## DP: low impact XSS in mod_negotiation +## DP: backport of upstream r1374421 +diff --git a/modules/mappers/mod_negotiation.c b/modules/mappers/mod_negotiation.c +index 25e6034..ef4a72a 100644 +--- a/modules/mappers/mod_negotiation.c ++++ b/modules/mappers/mod_negotiation.c +@@ -2658,9 +2658,9 @@ static char *make_variant_list(request_rec *r, negotiation_state *neg) + * need to change the calculation of max_vlist_array above. + */ + *((const char **) apr_array_push(arr)) = "<li><a href=\""; +- *((const char **) apr_array_push(arr)) = filename; ++ *((const char **) apr_array_push(arr)) = ap_escape_path_segment(r->pool, filename); + *((const char **) apr_array_push(arr)) = "\">"; +- *((const char **) apr_array_push(arr)) = filename; ++ *((const char **) apr_array_push(arr)) = ap_escape_html(r->pool, filename); + *((const char **) apr_array_push(arr)) = "</a> "; + *((const char **) apr_array_push(arr)) = description; + |