httpd-cvs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From j..@apache.org
Subject svn commit: r608194 - in /httpd/httpd/branches/2.0.x: CHANGES STATUS modules/dav/main/mod_dav.c modules/experimental/util_ldap.c modules/generators/mod_info.c modules/proxy/proxy_ftp.c
Date Wed, 02 Jan 2008 19:30:00 GMT
Author: jim
Date: Wed Jan  2 11:29:59 2008
New Revision: 608194

URL: http://svn.apache.org/viewvc?rev=608194&view=rev
Log:
     http://svn.apache.org/viewvc?rev=606693&view=rev
     http://svn.apache.org/viewvc?rev=607276&view=rev


Modified:
    httpd/httpd/branches/2.0.x/CHANGES
    httpd/httpd/branches/2.0.x/STATUS
    httpd/httpd/branches/2.0.x/modules/dav/main/mod_dav.c
    httpd/httpd/branches/2.0.x/modules/experimental/util_ldap.c
    httpd/httpd/branches/2.0.x/modules/generators/mod_info.c
    httpd/httpd/branches/2.0.x/modules/proxy/proxy_ftp.c

Modified: httpd/httpd/branches/2.0.x/CHANGES
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.0.x/CHANGES?rev=608194&r1=608193&r2=608194&view=diff
==============================================================================
--- httpd/httpd/branches/2.0.x/CHANGES [utf-8] (original)
+++ httpd/httpd/branches/2.0.x/CHANGES [utf-8] Wed Jan  2 11:29:59 2008
@@ -17,6 +17,11 @@
      shutdown of the server when the MaxClients is higher then 257,
      in a more responsive manner [Mladen Turk, William Rowe]
 
+  *) Add explicit charset to the output of various modules to work around
+     possible cross-site scripting flaws affecting web browsers that do not
+     derive the response character set as required by  RFC2616.  One of these
+     reported by SecurityReason [Joe Orton]
+
   *) http_protocol: Escape request method in 405 error reporting.
      This has no security impact since the browser cannot be tricked
      into sending arbitrary method strings.  [Jeff Trawick]

Modified: httpd/httpd/branches/2.0.x/STATUS
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.0.x/STATUS?rev=608194&r1=608193&r2=608194&view=diff
==============================================================================
--- httpd/httpd/branches/2.0.x/STATUS (original)
+++ httpd/httpd/branches/2.0.x/STATUS Wed Jan  2 11:29:59 2008
@@ -113,16 +113,6 @@
 RELEASE SHOWSTOPPERS:
 
 
- * Various modules: Add explicit charset to the output of various modules to
-   work around possible cross-site scripting flaws affecting web browsers that
-   do not derive the response character set as required by RFC2616.
-    Trunk version of patch:
-       http://svn.apache.org/viewvc?rev=606693&view=rev
-       http://svn.apache.org/viewvc?rev=607276&view=rev
-    Backport version for 2.0.x of patch:
-       http://people.apache.org/~rpluem/patches/utf7_fix_2.0.x.diff
-    +1: rpluem, wrowe, jim
-
 PATCHES ACCEPTED TO BACKPORT FROM TRUNK:
   [ start all new proposals below, under PATCHES PROPOSED. ]
 

Modified: httpd/httpd/branches/2.0.x/modules/dav/main/mod_dav.c
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.0.x/modules/dav/main/mod_dav.c?rev=608194&r1=608193&r2=608194&view=diff
==============================================================================
--- httpd/httpd/branches/2.0.x/modules/dav/main/mod_dav.c (original)
+++ httpd/httpd/branches/2.0.x/modules/dav/main/mod_dav.c Wed Jan  2 11:29:59 2008
@@ -317,7 +317,7 @@
     /* ### I really don't think this is needed; gotta test */
     r->status_line = ap_get_status_line(status);
 
-    ap_set_content_type(r, "text/html");
+    ap_set_content_type(r, "text/html; charset=ISO-8859-1");
 
     /* begin the response now... */
     ap_rvputs(r,

Modified: httpd/httpd/branches/2.0.x/modules/experimental/util_ldap.c
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.0.x/modules/experimental/util_ldap.c?rev=608194&r1=608193&r2=608194&view=diff
==============================================================================
--- httpd/httpd/branches/2.0.x/modules/experimental/util_ldap.c (original)
+++ httpd/httpd/branches/2.0.x/modules/experimental/util_ldap.c Wed Jan  2 11:29:59 2008
@@ -139,7 +139,7 @@
         return DECLINED;
     }
 
-    r->content_type = "text/html";
+    r->content_type = "text/html; charset=ISO-8859-1";
     if (r->header_only)
         return OK;
 

Modified: httpd/httpd/branches/2.0.x/modules/generators/mod_info.c
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.0.x/modules/generators/mod_info.c?rev=608194&r1=608193&r2=608194&view=diff
==============================================================================
--- httpd/httpd/branches/2.0.x/modules/generators/mod_info.c (original)
+++ httpd/httpd/branches/2.0.x/modules/generators/mod_info.c Wed Jan  2 11:29:59 2008
@@ -318,7 +318,7 @@
     if (r->method_number != M_GET)
 	return DECLINED;
 
-    ap_set_content_type(r, "text/html");
+    ap_set_content_type(r, "text/html; charset=ISO-8859-1");
 
     ap_rputs(DOCTYPE_HTML_3_2
 	     "<html><head><title>Server Information</title></head>\n",
r);

Modified: httpd/httpd/branches/2.0.x/modules/proxy/proxy_ftp.c
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.0.x/modules/proxy/proxy_ftp.c?rev=608194&r1=608193&r2=608194&view=diff
==============================================================================
--- httpd/httpd/branches/2.0.x/modules/proxy/proxy_ftp.c (original)
+++ httpd/httpd/branches/2.0.x/modules/proxy/proxy_ftp.c Wed Jan  2 11:29:59 2008
@@ -1702,7 +1702,7 @@
 
     /* set content-type */
     if (dirlisting) {
-        ap_set_content_type(r, "text/html");
+        ap_set_content_type(r, "text/html; charset=ISO-8859-1");
     }
     else {
         if (r->content_type) {



Mime
View raw message