httpd-cvs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From jor...@apache.org
Subject svn commit: r595288 - /httpd/httpd/trunk/docs/manual/env.xml
Date Thu, 15 Nov 2007 12:25:14 GMT
Author: jorton
Date: Thu Nov 15 04:25:14 2007
New Revision: 595288

URL: http://svn.apache.org/viewvc?rev=595288&view=rev
Log:
- add note on security impact of suppress-error-charset for broken
browsers

Modified:
    httpd/httpd/trunk/docs/manual/env.xml

Modified: httpd/httpd/trunk/docs/manual/env.xml
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/docs/manual/env.xml?rev=595288&r1=595287&r2=595288&view=diff
==============================================================================
--- httpd/httpd/trunk/docs/manual/env.xml (original)
+++ httpd/httpd/trunk/docs/manual/env.xml Thu Nov 15 04:25:14 2007
@@ -364,6 +364,19 @@
     set for the redirection text, and these broken browsers will then correctly
     use that of the destination page.</p>
 
+    <note type="warning">
+      <title>Security note</title> 
+
+      <p>Sending error pages without a specified character set may
+      allow a cross-site-scripting attack for existing browsers (MSIE)
+      which do not follow the HTTP/1.1 specification and attempt to
+      "guess" the character set from the content.  Such browsers can
+      be easily fooled into using the UTF-7 character set, and UTF-7
+      content from input data (such as the request-URI) will not be
+      escaped by the usual escaping mechanisms designed to prevent
+      cross-site-scripting attacks.</p>
+    </note>
+
    </section>
 
    <section id="proxy"><title>force-proxy-request-1.0, proxy-nokeepalive, proxy-sendchunked,
proxy-sendcl</title>



Mime
View raw message