diff options
author | Martynas Venckus <martynas@cvs.openbsd.org> | 2007-08-08 21:01:45 +0000 |
---|---|---|
committer | Martynas Venckus <martynas@cvs.openbsd.org> | 2007-08-08 21:01:45 +0000 |
commit | 21bf4daa8658b2e95e0263866ab4709a82b5418b (patch) | |
tree | e6a62f2114156397fdb36224e19d4aed4eb1be86 | |
parent | 4785217b3ea280c4ab5022625967dfbe11411d3e (diff) |
fix CVE-2006-5752
A flaw was found in the mod_status module. On sites where the
server-status page is publicly accessible and ExtendedStatus is enabled
this could lead to a cross-site scripting attack. Note that the
server-status page is not enabled by default and it is best practice to
not make this publicly available.
ok miod@, henning@
-rw-r--r-- | usr.sbin/httpd/src/modules/standard/mod_status.c | 10 |
1 files changed, 5 insertions, 5 deletions
diff --git a/usr.sbin/httpd/src/modules/standard/mod_status.c b/usr.sbin/httpd/src/modules/standard/mod_status.c index f6a883ef8c5..863b0894194 100644 --- a/usr.sbin/httpd/src/modules/standard/mod_status.c +++ b/usr.sbin/httpd/src/modules/standard/mod_status.c @@ -245,7 +245,7 @@ static int status_handler(request_rec *r) if (r->method_number != M_GET) return DECLINED; - r->content_type = "text/html"; + r->content_type = "text/html; charset=ISO-8859-1"; /* * Simple table-driven form data set parser that lets you alter the header @@ -271,7 +271,7 @@ static int status_handler(request_rec *r) no_table_report = 1; break; case STAT_OPT_AUTO: - r->content_type = "text/plain"; + r->content_type = "text/plain; charset=ISO-8859-1"; short_report = 1; break; } @@ -563,7 +563,7 @@ static int status_handler(request_rec *r) ap_rputs(")\n", r); ap_rprintf(r, " <i>%s {%s}</i> <b>[%s]</b><br>\n\n", ap_escape_html(r->pool, score_record.client), - ap_escape_html(r->pool, score_record.request), + ap_escape_html(r->pool, ap_escape_logitem(r->pool, score_record.request)), vhost ? ap_escape_html(r->pool, vhost->server_hostname) : "(unavailable)"); } @@ -639,14 +639,14 @@ static int status_handler(request_rec *r) "</tr>\n\n", score_record.client, vhost ? vhost->server_hostname : "(unavailable)", - ap_escape_html(r->pool, score_record.request)); + ap_escape_html(r->pool, ap_escape_logitem(r->pool, score_record.request))); #else ap_rprintf(r, "<td>%s<td nowrap>%s<td nowrap>%s</tr>\n\n", ap_escape_html(r->pool, score_record.client), vhost ? ap_escape_html(r->pool, vhost->server_hostname) : "(unavailable)", - ap_escape_html(r->pool, score_record.request)); + ap_escape_html(r->pool, ap_escape_logitem(r->pool, score_record.request))); #endif } /* no_table_report */ } /* !short_report */ |