Return-Path:
Delivered-To: apmail-httpd-cvs-archive@www.apache.org
Received: (qmail 72920 invoked from network); 15 Nov 2007 12:25:38 -0000
Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.2)
by minotaur.apache.org with SMTP; 15 Nov 2007 12:25:38 -0000
Received: (qmail 15619 invoked by uid 500); 15 Nov 2007 12:25:25 -0000
Delivered-To: apmail-httpd-cvs-archive@httpd.apache.org
Received: (qmail 15564 invoked by uid 500); 15 Nov 2007 12:25:25 -0000
Mailing-List: contact cvs-help@httpd.apache.org; run by ezmlm
Precedence: bulk
Reply-To: dev@httpd.apache.org
list-help:
list-unsubscribe:
List-Post:
List-Id:
Delivered-To: mailing list cvs@httpd.apache.org
Received: (qmail 15553 invoked by uid 99); 15 Nov 2007 12:25:25 -0000
Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136)
by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 15 Nov 2007 04:25:25 -0800
X-ASF-Spam-Status: No, hits=-100.0 required=10.0
tests=ALL_TRUSTED
X-Spam-Check-By: apache.org
Received: from [140.211.11.3] (HELO eris.apache.org) (140.211.11.3)
by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 15 Nov 2007 12:25:21 +0000
Received: by eris.apache.org (Postfix, from userid 65534)
id E8E0C1A9832; Thu, 15 Nov 2007 04:25:14 -0800 (PST)
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Subject: svn commit: r595288 - /httpd/httpd/trunk/docs/manual/env.xml
Date: Thu, 15 Nov 2007 12:25:14 -0000
To: cvs@httpd.apache.org
From: jorton@apache.org
X-Mailer: svnmailer-1.0.8
Message-Id: <20071115122514.E8E0C1A9832@eris.apache.org>
X-Virus-Checked: Checked by ClamAV on apache.org
Author: jorton
Date: Thu Nov 15 04:25:14 2007
New Revision: 595288
URL: http://svn.apache.org/viewvc?rev=595288&view=rev
Log:
- add note on security impact of suppress-error-charset for broken
browsers
Modified:
httpd/httpd/trunk/docs/manual/env.xml
Modified: httpd/httpd/trunk/docs/manual/env.xml
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/docs/manual/env.xml?rev=595288&r1=595287&r2=595288&view=diff
==============================================================================
--- httpd/httpd/trunk/docs/manual/env.xml (original)
+++ httpd/httpd/trunk/docs/manual/env.xml Thu Nov 15 04:25:14 2007
@@ -364,6 +364,19 @@
set for the redirection text, and these broken browsers will then correctly
use that of the destination page.
+
+ Security note
+
+ Sending error pages without a specified character set may
+ allow a cross-site-scripting attack for existing browsers (MSIE)
+ which do not follow the HTTP/1.1 specification and attempt to
+ "guess" the character set from the content. Such browsers can
+ be easily fooled into using the UTF-7 character set, and UTF-7
+ content from input data (such as the request-URI) will not be
+ escaped by the usual escaping mechanisms designed to prevent
+ cross-site-scripting attacks.
+
+
force-proxy-request-1.0, proxy-nokeepalive, proxy-sendchunked, proxy-sendcl