File httpd-2.2.x-bnc807152-mod_balancer_handler_xss.... of Package apache2

Overview Repositories Revisions Requests Users Attributes Meta

File httpd-2.2.x-bnc807152-mod_balancer_handler_xss.diff of Package apache2

diff -rNU 30 ../httpd-2.2.12-o/modules/proxy/mod_proxy_balancer.c ./modules/proxy/mod_proxy_balancer.c
--- ../httpd-2.2.12-o/modules/proxy/mod_proxy_balancer.c	2013-03-26 17:17:33.000000000 +0100
+++ ./modules/proxy/mod_proxy_balancer.c	2013-03-26 17:43:34.000000000 +0100
@@ -793,96 +793,106 @@
         ap_rputs("  <httpd:balancers>\n", r);
         balancer = (proxy_balancer *)conf->balancers->elts;
         for (i = 0; i < conf->balancers->nelts; i++) {
             ap_rputs("    <httpd:balancer>\n", r);
             ap_rvputs(r, "      <httpd:name>", balancer->name, "</httpd:name>\n", NULL);
             ap_rputs("      <httpd:workers>\n", r);
             worker = (proxy_worker *)balancer->workers->elts;
             for (n = 0; n < balancer->workers->nelts; n++) {
                 ap_rputs("        <httpd:worker>\n", r);
                 ap_rvputs(r, "          <httpd:scheme>", worker->scheme,
                           "</httpd:scheme>\n", NULL);
                 ap_rvputs(r, "          <httpd:hostname>", worker->hostname,
                           "</httpd:hostname>\n", NULL);
                ap_rprintf(r, "          <httpd:loadfactor>%d</httpd:loadfactor>\n",
                           worker->s->lbfactor);
                 ap_rputs("        </httpd:worker>\n", r);
                 ++worker;
             }
             ap_rputs("      </httpd:workers>\n", r);
             ap_rputs("    </httpd:balancer>\n", r);
             ++balancer;
         }
         ap_rputs("  </httpd:balancers>\n", r);
         ap_rputs("</httpd:manager>", r);
     }
     else {
         ap_set_content_type(r, "text/html; charset=ISO-8859-1");
         ap_rputs(DOCTYPE_HTML_3_2
                  "<html><head><title>Balancer Manager</title></head>\n", r);
         ap_rputs("<body><h1>Load Balancer Manager for ", r);
+/*
+CVE-2012-4558
         ap_rvputs(r, ap_get_server_name(r), "</h1>\n\n", NULL);
+ */
+	ap_rvputs(r, ap_escape_html(r->pool, ap_get_server_name(r)),
+		"</h1>\n\n", NULL);
         ap_rvputs(r, "<dl><dt>Server Version: ",
                   ap_get_server_description(), "</dt>\n", NULL);
         ap_rvputs(r, "<dt>Server Built: ",
                   ap_get_server_built(), "\n</dt></dl>\n", NULL);
         balancer = (proxy_balancer *)conf->balancers->elts;
         for (i = 0; i < conf->balancers->nelts; i++) {
 
             ap_rputs("<hr />\n<h3>LoadBalancer Status for ", r);
             ap_rvputs(r, balancer->name, "</h3>\n\n", NULL);
             ap_rputs("\n\n<table border=\"0\" style=\"text-align: left;\"><tr>"
                 "<th>StickySession</th><th>Timeout</th><th>FailoverAttempts</th><th>Method</th>"
                 "</tr>\n<tr>", r);
             if (balancer->sticky) {
                 ap_rvputs(r, "<td>", balancer->sticky, NULL);
             }
             else {
                 ap_rputs("<td> - ", r);
             }
             ap_rprintf(r, "</td><td>%" APR_TIME_T_FMT "</td>",
                 apr_time_sec(balancer->timeout));
             ap_rprintf(r, "<td>%d</td>\n", balancer->max_attempts);
             ap_rprintf(r, "<td>%s</td>\n",
                        balancer->lbmethod->name);
             ap_rputs("</table>\n<br />", r);
             ap_rputs("\n\n<table border=\"0\" style=\"text-align: left;\"><tr>"
                 "<th>Worker URL</th>"
                 "<th>Route</th><th>RouteRedir</th>"
                 "<th>Factor</th><th>Set</th><th>Status</th>"
                 "<th>Elected</th><th>To</th><th>From</th>"
                 "</tr>\n", r);
 
             worker = (proxy_worker *)balancer->workers->elts;
             for (n = 0; n < balancer->workers->nelts; n++) {
                 char fbuf[50];
+/*
+CVE-2012-4558
                 ap_rvputs(r, "<tr>\n<td><a href=\"", r->uri, "?b=",
+ */
+		ap_rvputs(r, "<tr>\n<td><a href=\"",
+			ap_escape_uri(r->pool, r->uri), "?b=",
                           balancer->name + sizeof("balancer://") - 1, "&w=",
                           ap_escape_uri(r->pool, worker->name),
                           "&nonce=", balancer_nonce, 
                           "\">", NULL);
                 ap_rvputs(r, worker->name, "</a></td>", NULL);
                 ap_rvputs(r, "<td>", ap_escape_html(r->pool, worker->s->route),
                           NULL);
                 ap_rvputs(r, "</td><td>",
                           ap_escape_html(r->pool, worker->s->redirect), NULL);
                 ap_rprintf(r, "</td><td>%d</td>", worker->s->lbfactor);
                 ap_rprintf(r, "<td>%d</td><td>", worker->s->lbset);
                 if (worker->s->status & PROXY_WORKER_DISABLED)
                    ap_rputs("Dis ", r);
                 if (worker->s->status & PROXY_WORKER_IN_ERROR)
                    ap_rputs("Err ", r);
                 if (worker->s->status & PROXY_WORKER_STOPPED)
                    ap_rputs("Stop ", r);
                 if (worker->s->status & PROXY_WORKER_HOT_STANDBY)
                    ap_rputs("Stby ", r);
                 if (PROXY_WORKER_IS_USABLE(worker))
                     ap_rputs("Ok", r);
                 if (!PROXY_WORKER_IS_INITIALIZED(worker))
                     ap_rputs("-", r);
                 ap_rputs("</td>", r);
                 ap_rprintf(r, "<td>%" APR_SIZE_T_FMT "</td><td>", worker->s->elected);
                 ap_rputs(apr_strfsize(worker->s->transferred, fbuf), r);
                 ap_rputs("</td><td>", r);
                 ap_rputs(apr_strfsize(worker->s->read, fbuf), r);
                 ap_rputs("</td></tr>\n", r);

Places

File httpd-2.2.x-bnc807152-mod_balancer_handler_xss.diff of Package apache2

Places