debian/patches/097_CVE-2012-2687.dpatch


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20

#! /bin/sh /usr/share/dpatch/dpatch-run
## All lines beginning with `## DP:' are a description of the patch.
## DP: low impact XSS in mod_negotiation
## DP: backport of upstream r1374421
diff --git a/modules/mappers/mod_negotiation.c b/modules/mappers/mod_negotiation.c
index 25e6034..ef4a72a 100644
--- a/modules/mappers/mod_negotiation.c
+++ b/modules/mappers/mod_negotiation.c
@@ -2658,9 +2658,9 @@ static char *make_variant_list(request_rec *r, negotiation_state *neg)
          * need to change the calculation of max_vlist_array above.
          */
         *((const char **) apr_array_push(arr)) = "<li><a href=\"";
-        *((const char **) apr_array_push(arr)) = filename;
+        *((const char **) apr_array_push(arr)) = ap_escape_path_segment(r->pool, filename);
         *((const char **) apr_array_push(arr)) = "\">";
-        *((const char **) apr_array_push(arr)) = filename;
+        *((const char **) apr_array_push(arr)) = ap_escape_html(r->pool, filename);
         *((const char **) apr_array_push(arr)) = "</a> ";
         *((const char **) apr_array_push(arr)) = description;