Created attachment 23371 [details] fix, applies to 2.2.9 When mod_negotiation returns a 406 response when serving a file whose name includes whitespace or other special characters, those characters are not escaped in the Alternates: header. Similarly, the Content-Location: header is not escaped. As a result, content negotiation will probably not work with such files. There is also a security impact: a user who can control the name of files on a web server could inject responses that appear to come from other web sites served by the same system. On Mac OS X, this may be reproduced by touch ~/Sites/'junk Header: Injected blah:.jpg' and then requesting http://localhost/~$USER/junk%0aHeader:%20Injected%0ablah: The CVE description claims the bug is present in 2.2.6 and earlier. I have confirmed it in 2.2.9. Possibly all Apache versions that support content negotiation are affected. A patch is attached.
I think this was considered a misconfiguration, not a bug. http://marc.info/?l=apache-httpd-dev&m=120220806715363&w=2
Thanks for the patch. Committed as r752812 to trunk.
Backported to 2.2.x as r752812.