fix a cross-site scripting vuln:

  *) SECURITY: CAN-2002-0840 (cve.mitre.org)
     Prevent a cross-site scripting vulnerability in the default
     error page.  The issue could only be exploited if the directive
     UseCanonicalName is set to Off and a server is being run at
     a domain that allows wildcard DNS.  [Matthew Murphy]

1 files changed, 6 insertions, 3 deletions

diff --git a/usr.sbin/httpd/src/main/http_core.c b/usr.sbin/httpd/src/main/http_core.c
index 49bc03ee222..1262fb20b2f 100644
--- a/usr.sbin/httpd/src/main/http_core.c
+++ b/usr.sbin/httpd/src/main/http_core.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: http_core.c,v 1.12 2002/07/19 21:31:15 henning Exp $ */
+/* $OpenBSD: http_core.c,v 1.13 2002/10/04 11:29:52 henning Exp $ */
 
 /* ====================================================================
  * The Apache Software License, Version 1.1
@@ -2794,11 +2794,14 @@ API_EXPORT(const char *) ap_psignature(const char *prefix, request_rec *r)
 	return ap_pstrcat(r->pool, prefix, "<ADDRESS>" SERVER_BASEVERSION
 			  " Server at <A HREF=\"mailto:",
 			  r->server->server_admin, "\">",
-			  ap_get_server_name(r), "</A> Port ", sport,
+			  ap_escape_html(r->pool, ap_get_server_name(r)),
+                          "</A> Port ", sport,
 			  "</ADDRESS>\n", NULL);
     }
     return ap_pstrcat(r->pool, prefix, "<ADDRESS>" SERVER_BASEVERSION
-		      " Server at ", ap_get_server_name(r), " Port ", sport,
+		      " Server at ",
+                      ap_escape_html(r->pool, ap_get_server_name(r)),
+                      " Port ", sport,
 		      "</ADDRESS>\n", NULL);
 }