diff --git a/CHANGES b/CHANGES index ba9de5e5c1..ff711bcb22 100644 --- a/CHANGES +++ b/CHANGES @@ -2,6 +2,10 @@ Changes with Apache 2.3.0 [ When backported to 2.2.x, remove entry from this file ] + *) mod_proxy_balancer: Correctly escape the worker route and the worker + redirect string in the HTML output of the balancer manager. + Reported by SecurityReason. [Ruediger Pluem] + *) Prevent crash in balancer manager if invalid balancer name is passed as parameter. Reported by SecurityReason. [Ruediger Pluem] diff --git a/modules/proxy/mod_proxy_balancer.c b/modules/proxy/mod_proxy_balancer.c index 6ea49b6161..9339d4386a 100644 --- a/modules/proxy/mod_proxy_balancer.c +++ b/modules/proxy/mod_proxy_balancer.c @@ -803,8 +803,10 @@ static int balancer_handler(request_rec *r) ap_escape_uri(r->pool, worker->name), "\">", NULL); ap_rvputs(r, worker->name, "", NULL); - ap_rvputs(r, "", worker->s->route, NULL); - ap_rvputs(r, "", worker->s->redirect, NULL); + ap_rvputs(r, "", ap_escape_html(r->pool, worker->s->route), + NULL); + ap_rvputs(r, "", + ap_escape_html(r->pool, worker->s->redirect), NULL); ap_rprintf(r, "%d", worker->s->lbfactor); ap_rprintf(r, "%d", worker->s->lbset); if (worker->s->status & PROXY_WORKER_DISABLED) @@ -842,10 +844,12 @@ static int balancer_handler(request_rec *r) ap_rputs("LB Set:\n", wsel->s->lbset); ap_rputs("Route:s->route, NULL); + ap_rvputs(r, "value=\"", ap_escape_html(r->pool, wsel->s->route), + NULL); ap_rputs("\">\n", r); ap_rputs("Route Redirect:s->redirect, NULL); + ap_rvputs(r, "value=\"", ap_escape_html(r->pool, wsel->s->redirect), + NULL); ap_rputs("\">\n", r); ap_rputs("Status:Disabled: s->status & PROXY_WORKER_DISABLED)