https://issues.apache.org/bugzilla/show_bug.cgi?id=56542
Bug ID: 56542
Summary: 2.4.x mod_rewrite writes data to a log file without
sanitizing
Product: Apache httpd-2
Version: 2.4.9
Hardware: PC
OS: Linux
Status: NEW
Severity: normal
Priority: P2
Component: mod_rewrite
Assignee: [email protected]
Reporter: [email protected]
comparing do_rewritelog() in line 2.2 and 2.4 I've found missing inheritance
for CVE-2013-1862 what may provide to writes data to a log file without
sanitizing
2.2
logline = apr_psprintf(r->pool, "%s %s %s %s [%s/sid#%pp][rid#%pp/%s%s%s] "
"(%d) %s%s%s%s" APR_EOL_STR,
rhost ? ap_escape_logitem(r->pool, rhost) :
"UNKNOWN-HOST",
rname ? ap_escape_logitem(r->pool, rname) : "-",
and
2.4
logline = apr_psprintf(r->pool, "%s %s %s [%s/sid#%pp][rid#%pp/%s%s%s] "
"%s%s%s%s",
rhost ? rhost : "UNKNOWN-HOST",
rname ? rname : "-",
Why this is not patched since 2013 in 2.4? What is the reason for such a
difference?
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
