httpd-cvs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From j..@apache.org
Subject svn commit: r604192 - in /httpd/httpd/branches/2.2.x: CHANGES STATUS modules/http/http_protocol.c
Date Fri, 14 Dec 2007 13:46:44 GMT
Author: jim
Date: Fri Dec 14 05:46:43 2007
New Revision: 604192

URL: http://svn.apache.org/viewvc?rev=604192&view=rev
Log:
Merge r603346 from trunk:

http_protocol: Escape request method in 405 error reporting.
This has no security impact since the browser cannot be tricked
into sending arbitrary method strings.

(words from jorton)

Submitted by: trawick
Reviewed by: jim

Modified:
    httpd/httpd/branches/2.2.x/CHANGES
    httpd/httpd/branches/2.2.x/STATUS
    httpd/httpd/branches/2.2.x/modules/http/http_protocol.c

Modified: httpd/httpd/branches/2.2.x/CHANGES
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.2.x/CHANGES?rev=604192&r1=604191&r2=604192&view=diff
==============================================================================
--- httpd/httpd/branches/2.2.x/CHANGES [utf-8] (original)
+++ httpd/httpd/branches/2.2.x/CHANGES [utf-8] Fri Dec 14 05:46:43 2007
@@ -5,6 +5,10 @@
      mod_imagemap: Fix a cross-site scripting issue.  Reported by JPCERT.
      [Joe Orton]  
 
+  *) http_protocol: Escape request method in 405 error reporting.
+     This has no security impact since the browser cannot be tricked
+     into sending arbitrary method strings.  [Jeff Trawick]
+
   *) mod_proxy_ajp: Use 64K as maximum AJP packet size. This is the maximum
      length we can squeeze inside the AJP message packet.
      [Mladen Turk]

Modified: httpd/httpd/branches/2.2.x/STATUS
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.2.x/STATUS?rev=604192&r1=604191&r2=604192&view=diff
==============================================================================
--- httpd/httpd/branches/2.2.x/STATUS (original)
+++ httpd/httpd/branches/2.2.x/STATUS Fri Dec 14 05:46:43 2007
@@ -79,12 +79,6 @@
 PATCHES ACCEPTED TO BACKPORT FROM TRUNK:
   [ start all new proposals below, under PATCHES PROPOSED. ]
 
-   * escape input method in 405 canned error response
-     trunk:
-       http://svn.apache.org/viewvc?view=rev&revision=603346
-     2.2.x:
-       trunk patch applies
-     +1: trawick, wrowe, covener
 
 PATCHES PROPOSED TO BACKPORT FROM TRUNK:
   [ New proposals should be added at the end of the list ]

Modified: httpd/httpd/branches/2.2.x/modules/http/http_protocol.c
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.2.x/modules/http/http_protocol.c?rev=604192&r1=604191&r2=604192&view=diff
==============================================================================
--- httpd/httpd/branches/2.2.x/modules/http/http_protocol.c (original)
+++ httpd/httpd/branches/2.2.x/modules/http/http_protocol.c Fri Dec 14 05:46:43 2007
@@ -913,7 +913,8 @@
                            NULL));
     case HTTP_METHOD_NOT_ALLOWED:
         return(apr_pstrcat(p,
-                           "<p>The requested method ", r->method,
+                           "<p>The requested method ",
+                           ap_escape_html(r->pool, r->method),
                            " is not allowed for the URL ",
                            ap_escape_html(r->pool, r->uri),
                            ".</p>\n",



Mime
View raw message