Overview

File httpd-2.2.x-bnc806458-mod_proxy_ftp-xss.diff of Package apache2.1524

diff -rNU 30 ../httpd-2.2.12-o/modules/proxy/mod_proxy_ftp.c ./modules/proxy/mod_proxy_ftp.c
--- ../httpd-2.2.12-o/modules/proxy/mod_proxy_ftp.c	2013-03-26 17:17:33.000000000 +0100
+++ ./modules/proxy/mod_proxy_ftp.c	2013-03-26 19:19:45.000000000 +0100
@@ -338,61 +338,64 @@
             *type++ = '\0';
 
         (void)decodeenc(path);
 
         while (path[1] == '/') /* collapse multiple leading slashes to one */
             ++path;
 
         reldir = strrchr(path, '/');
         if (reldir != NULL && ftp_check_globbingchars(reldir)) {
             wildcard = &reldir[1];
             reldir[0] = '\0'; /* strip off the wildcard suffix */
         }
 
         /* Copy path, strip (all except the last) trailing slashes */
         /* (the trailing slash is needed for the dir component loop below) */
         path = dir = apr_pstrcat(p, path, "/", NULL);
         for (n = strlen(path); n > 1 && path[n - 1] == '/' && path[n - 2] == '/'; --n)
             path[n - 1] = '\0';
 
         /* Add a link to the root directory (if %2f hack was used) */
         str = (basedir[0] != '\0') ? "<a href=\"/%2f/\">%2f</a>/" : "";
 
         /* print "ftp://host/" */
         escpath = ap_escape_html(p, path);
         str = apr_psprintf(p, DOCTYPE_HTML_3_2
                 "<html>\n <head>\n  <title>%s%s%s</title>\n"
                 "<base href=\"%s%s%s\">\n"
                 " </head>\n"
                 " <body>\n  <h2>Directory of "
                 "<a href=\"/\">%s</a>/%s",
-                site, basedir, escpath, site, basedir, escpath, site, str);
+                ap_escape_html(p, site), basedir, escpath,
+                ap_escape_uri(p, site), basedir, escpath,
+                ap_escape_uri(p, site), str);
+
 
         APR_BRIGADE_INSERT_TAIL(out, apr_bucket_pool_create(str, strlen(str),
                                                           p, c->bucket_alloc));
 
         for (dir = path+1; (dir = strchr(dir, '/')) != NULL; )
         {
             *dir = '\0';
             if ((reldir = strrchr(path+1, '/'))==NULL) {
                 reldir = path+1;
             }
             else
                 ++reldir;
             /* print "path/" component */
             str = apr_psprintf(p, "<a href=\"%s%s/\">%s</a>/", basedir,
                         ap_escape_uri(p, path),
                         ap_escape_html(p, reldir));
             *dir = '/';
             while (*dir == '/')
               ++dir;
             APR_BRIGADE_INSERT_TAIL(out, apr_bucket_pool_create(str,
                                                            strlen(str), p,
                                                            c->bucket_alloc));
         }
         if (wildcard != NULL) {
             wildcard = ap_escape_html(p, wildcard);
             APR_BRIGADE_INSERT_TAIL(out, apr_bucket_pool_create(wildcard,
                                                            strlen(wildcard), p,
                                                            c->bucket_alloc));
         }
openSUSE Build Service is sponsored by
Places