diff options
| author |   martynas <martynas@openbsd.org> | 2007-08-08 21:01:44 +0000 |
|---|---|---|
| committer | martynas <martynas@openbsd.org> | 2007-08-08 21:01:44 +0000 |
| commit | 12bf86315208ef652ace74cdad4aa9a19432fe10 (patch) | |
| tree | 855f2fb37d550212d36d35c49651f25bdfc91160 /usr.sbin/httpd/src | |
| parent | Prevent a potential null-pointer dereference. (diff) | |
| download | wireguard-openbsd-12bf86315208ef652ace74cdad4aa9a19432fe10.tar.xz wireguard-openbsd-12bf86315208ef652ace74cdad4aa9a19432fe10.zip | |
fix CVE-2006-5752
A flaw was found in the mod_status module. On sites where the
server-status page is publicly accessible and ExtendedStatus is enabled
this could lead to a cross-site scripting attack. Note that the
server-status page is not enabled by default and it is best practice to
not make this publicly available.
ok miod@, henning@
Diffstat (limited to 'usr.sbin/httpd/src')
| -rw-r--r-- | usr.sbin/httpd/src/modules/standard/mod_status.c | 10 |
1 files changed, 5 insertions, 5 deletions
diff --git a/usr.sbin/httpd/src/modules/standard/mod_status.c b/usr.sbin/httpd/src/modules/standard/mod_status.c index f6a883ef8c5..863b0894194 100644 --- a/usr.sbin/httpd/src/modules/standard/mod_status.c +++ b/usr.sbin/httpd/src/modules/standard/mod_status.c @@ -245,7 +245,7 @@ static int status_handler(request_rec *r) if (r->method_number != M_GET) return DECLINED; - r->content_type = "text/html"; + r->content_type = "text/html; charset=ISO-8859-1"; /* * Simple table-driven form data set parser that lets you alter the header @@ -271,7 +271,7 @@ static int status_handler(request_rec *r) no_table_report = 1; break; case STAT_OPT_AUTO: - r->content_type = "text/plain"; + r->content_type = "text/plain; charset=ISO-8859-1"; short_report = 1; break; } @@ -563,7 +563,7 @@ static int status_handler(request_rec *r) ap_rputs(")\n", r); ap_rprintf(r, " <i>%s {%s}</i> <b>[%s]</b><br>\n\n", ap_escape_html(r->pool, score_record.client), - ap_escape_html(r->pool, score_record.request), + ap_escape_html(r->pool, ap_escape_logitem(r->pool, score_record.request)), vhost ? ap_escape_html(r->pool, vhost->server_hostname) : "(unavailable)"); } @@ -639,14 +639,14 @@ static int status_handler(request_rec *r) "</tr>\n\n", score_record.client, vhost ? vhost->server_hostname : "(unavailable)", - ap_escape_html(r->pool, score_record.request)); + ap_escape_html(r->pool, ap_escape_logitem(r->pool, score_record.request))); #else ap_rprintf(r, "<td>%s<td nowrap>%s<td nowrap>%s</tr>\n\n", ap_escape_html(r->pool, score_record.client), vhost ? ap_escape_html(r->pool, vhost->server_hostname) : "(unavailable)", - ap_escape_html(r->pool, score_record.request)); + ap_escape_html(r->pool, ap_escape_logitem(r->pool, score_record.request))); #endif } /* no_table_report */ } /* !short_report */ |