httpd-cvs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From j..@apache.org
Subject svn commit: r608192 - in /httpd/httpd/branches/2.2.x: CHANGES STATUS modules/dav/main/mod_dav.c modules/generators/mod_info.c modules/ldap/util_ldap.c modules/proxy/mod_proxy_balancer.c
Date Wed, 02 Jan 2008 19:27:01 GMT
Author: jim
Date: Wed Jan  2 11:26:59 2008
New Revision: 608192

URL: http://svn.apache.org/viewvc?rev=608192&view=rev
Log:
       http://svn.apache.org/viewvc?rev=606693&view=rev
       http://svn.apache.org/viewvc?rev=607276&view=rev


Modified:
    httpd/httpd/branches/2.2.x/CHANGES
    httpd/httpd/branches/2.2.x/STATUS
    httpd/httpd/branches/2.2.x/modules/dav/main/mod_dav.c
    httpd/httpd/branches/2.2.x/modules/generators/mod_info.c
    httpd/httpd/branches/2.2.x/modules/ldap/util_ldap.c
    httpd/httpd/branches/2.2.x/modules/proxy/mod_proxy_balancer.c

Modified: httpd/httpd/branches/2.2.x/CHANGES
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.2.x/CHANGES?rev=608192&r1=608191&r2=608192&view=diff
==============================================================================
--- httpd/httpd/branches/2.2.x/CHANGES [utf-8] (original)
+++ httpd/httpd/branches/2.2.x/CHANGES [utf-8] Wed Jan  2 11:26:59 2008
@@ -39,6 +39,11 @@
   *) mod_disk_cache: Delete temporary files if they cannot be renamed to their
      final name. [Davi Arnaut <davi haxent.com.br>]
 
+  *) Add explicit charset to the output of various modules to work around
+     possible cross-site scripting flaws affecting web browsers that do not
+     derive the response character set as required by  RFC2616.  One of these
+     reported by SecurityReason [Joe Orton]
+
   *) http_protocol: Escape request method in 405 error reporting.
      This has no security impact since the browser cannot be tricked
      into sending arbitrary method strings.  [Jeff Trawick]

Modified: httpd/httpd/branches/2.2.x/STATUS
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.2.x/STATUS?rev=608192&r1=608191&r2=608192&view=diff
==============================================================================
--- httpd/httpd/branches/2.2.x/STATUS (original)
+++ httpd/httpd/branches/2.2.x/STATUS Wed Jan  2 11:26:59 2008
@@ -76,33 +76,6 @@
 
 RELEASE SHOWSTOPPERS:
 
-   * Various modules: Add explicit charset to the output of various modules to
-     work around possible cross-site scripting flaws affecting web browsers that
-     do not derive the response character set as required by RFC2616.
-      Trunk version of patch:
-         http://svn.apache.org/viewvc?rev=606693&view=rev
-         http://svn.apache.org/viewvc?rev=607276&view=rev
-      Backport version for 2.2.x of patch:
-         http://people.apache.org/~rpluem/patches/utf7_fix_2.2.x.diff
-      +1: rpluem, wrowe, jim
-      wrowe notes; as nice as customization might be, this mirrors the behavior
-      or all RFC conformant browsers, and additional customization can come
-      as a new feature in the future.
-      -1: niq.  We cannot label FTP directory listings as ISO-8859-1 unless
-                we ensure they really are (e.g. some backend platforms will
-                give us UTF-8).  Also mod_dav embeds r->uri in the response:
-                we would need to URL-escape that before HTML-escaping it
-                to ensure that it's ISO-8859-1-compatible.
-      rpluem says: Please see my answers on list. Keep in mind that we do NOT
-                   create a regression by this patch but only enforce browsers
-                   who do not act in an RFC compliant manner to do so.
-                   So please reconsider your -1.
-      wrowe echos rpluem's sentiments, and argues supporting non-RFC clients
-            is not a key purpose of httpd.  However, if the associated non
-            showstopper new-feature will satisfy you, perhaps this should
-            be adopted (c.f. mod_proxy_ftp below).
-      niq says: I withdraw my -1 if we also apply a patch that enables
-                an admin to specify charset in an FTP directory list.
 
 PATCHES ACCEPTED TO BACKPORT FROM TRUNK:
   [ start all new proposals below, under PATCHES PROPOSED. ]

Modified: httpd/httpd/branches/2.2.x/modules/dav/main/mod_dav.c
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.2.x/modules/dav/main/mod_dav.c?rev=608192&r1=608191&r2=608192&view=diff
==============================================================================
--- httpd/httpd/branches/2.2.x/modules/dav/main/mod_dav.c (original)
+++ httpd/httpd/branches/2.2.x/modules/dav/main/mod_dav.c Wed Jan  2 11:26:59 2008
@@ -317,7 +317,7 @@
     /* ### I really don't think this is needed; gotta test */
     r->status_line = ap_get_status_line(status);
 
-    ap_set_content_type(r, "text/html");
+    ap_set_content_type(r, "text/html; charset=ISO-8859-1");
 
     /* begin the response now... */
     ap_rvputs(r,

Modified: httpd/httpd/branches/2.2.x/modules/generators/mod_info.c
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.2.x/modules/generators/mod_info.c?rev=608192&r1=608191&r2=608192&view=diff
==============================================================================
--- httpd/httpd/branches/2.2.x/modules/generators/mod_info.c (original)
+++ httpd/httpd/branches/2.2.x/modules/generators/mod_info.c Wed Jan  2 11:26:59 2008
@@ -607,7 +607,7 @@
     if (r->method_number != M_GET)
         return DECLINED;
 
-    ap_set_content_type(r, "text/html");
+    ap_set_content_type(r, "text/html; charset=ISO-8859-1");
 
     ap_rputs(DOCTYPE_XHTML_1_0T
              "<html xmlns=\"http://www.w3.org/1999/xhtml\">\n"

Modified: httpd/httpd/branches/2.2.x/modules/ldap/util_ldap.c
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.2.x/modules/ldap/util_ldap.c?rev=608192&r1=608191&r2=608192&view=diff
==============================================================================
--- httpd/httpd/branches/2.2.x/modules/ldap/util_ldap.c (original)
+++ httpd/httpd/branches/2.2.x/modules/ldap/util_ldap.c Wed Jan  2 11:26:59 2008
@@ -111,7 +111,7 @@
         return DECLINED;
     }
 
-    r->content_type = "text/html";
+    r->content_type = "text/html; charset=ISO-8859-1";
     if (r->header_only)
         return OK;
 

Modified: httpd/httpd/branches/2.2.x/modules/proxy/mod_proxy_balancer.c
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.2.x/modules/proxy/mod_proxy_balancer.c?rev=608192&r1=608191&r2=608192&view=diff
==============================================================================
--- httpd/httpd/branches/2.2.x/modules/proxy/mod_proxy_balancer.c (original)
+++ httpd/httpd/branches/2.2.x/modules/proxy/mod_proxy_balancer.c Wed Jan  2 11:26:59 2008
@@ -720,7 +720,7 @@
         ap_rputs("</httpd:manager>", r);
     }
     else {
-        ap_set_content_type(r, "text/html");
+        ap_set_content_type(r, "text/html; charset=ISO-8859-1");
         ap_rputs(DOCTYPE_HTML_3_2
                  "<html><head><title>Balancer Manager</title></head>\n",
r);
         ap_rputs("<body><h1>Load Balancer Manager for ", r);



Mime
View raw message