Author: jim Date: Wed Jan 2 11:29:59 2008 New Revision: 608194 URL: http://svn.apache.org/viewvc?rev=608194&view=rev Log: http://svn.apache.org/viewvc?rev=606693&view=rev http://svn.apache.org/viewvc?rev=607276&view=rev Modified: httpd/httpd/branches/2.0.x/CHANGES httpd/httpd/branches/2.0.x/STATUS httpd/httpd/branches/2.0.x/modules/dav/main/mod_dav.c httpd/httpd/branches/2.0.x/modules/experimental/util_ldap.c httpd/httpd/branches/2.0.x/modules/generators/mod_info.c httpd/httpd/branches/2.0.x/modules/proxy/proxy_ftp.c Modified: httpd/httpd/branches/2.0.x/CHANGES URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.0.x/CHANGES?rev=608194&r1=608193&r2=608194&view=diff ============================================================================== --- httpd/httpd/branches/2.0.x/CHANGES [utf-8] (original) +++ httpd/httpd/branches/2.0.x/CHANGES [utf-8] Wed Jan 2 11:29:59 2008 @@ -17,6 +17,11 @@ shutdown of the server when the MaxClients is higher then 257, in a more responsive manner [Mladen Turk, William Rowe] + *) Add explicit charset to the output of various modules to work around + possible cross-site scripting flaws affecting web browsers that do not + derive the response character set as required by RFC2616. One of these + reported by SecurityReason [Joe Orton] + *) http_protocol: Escape request method in 405 error reporting. This has no security impact since the browser cannot be tricked into sending arbitrary method strings. [Jeff Trawick] Modified: httpd/httpd/branches/2.0.x/STATUS URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.0.x/STATUS?rev=608194&r1=608193&r2=608194&view=diff ============================================================================== --- httpd/httpd/branches/2.0.x/STATUS (original) +++ httpd/httpd/branches/2.0.x/STATUS Wed Jan 2 11:29:59 2008 @@ -113,16 +113,6 @@ RELEASE SHOWSTOPPERS: - * Various modules: Add explicit charset to the output of various modules to - work around possible cross-site scripting flaws affecting web browsers that - do not derive the response character set as required by RFC2616. - Trunk version of patch: - http://svn.apache.org/viewvc?rev=606693&view=rev - http://svn.apache.org/viewvc?rev=607276&view=rev - Backport version for 2.0.x of patch: - http://people.apache.org/~rpluem/patches/utf7_fix_2.0.x.diff - +1: rpluem, wrowe, jim - PATCHES ACCEPTED TO BACKPORT FROM TRUNK: [ start all new proposals below, under PATCHES PROPOSED. ] Modified: httpd/httpd/branches/2.0.x/modules/dav/main/mod_dav.c URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.0.x/modules/dav/main/mod_dav.c?rev=608194&r1=608193&r2=608194&view=diff ============================================================================== --- httpd/httpd/branches/2.0.x/modules/dav/main/mod_dav.c (original) +++ httpd/httpd/branches/2.0.x/modules/dav/main/mod_dav.c Wed Jan 2 11:29:59 2008 @@ -317,7 +317,7 @@ /* ### I really don't think this is needed; gotta test */ r->status_line = ap_get_status_line(status); - ap_set_content_type(r, "text/html"); + ap_set_content_type(r, "text/html; charset=ISO-8859-1"); /* begin the response now... */ ap_rvputs(r, Modified: httpd/httpd/branches/2.0.x/modules/experimental/util_ldap.c URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.0.x/modules/experimental/util_ldap.c?rev=608194&r1=608193&r2=608194&view=diff ============================================================================== --- httpd/httpd/branches/2.0.x/modules/experimental/util_ldap.c (original) +++ httpd/httpd/branches/2.0.x/modules/experimental/util_ldap.c Wed Jan 2 11:29:59 2008 @@ -139,7 +139,7 @@ return DECLINED; } - r->content_type = "text/html"; + r->content_type = "text/html; charset=ISO-8859-1"; if (r->header_only) return OK; Modified: httpd/httpd/branches/2.0.x/modules/generators/mod_info.c URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.0.x/modules/generators/mod_info.c?rev=608194&r1=608193&r2=608194&view=diff ============================================================================== --- httpd/httpd/branches/2.0.x/modules/generators/mod_info.c (original) +++ httpd/httpd/branches/2.0.x/modules/generators/mod_info.c Wed Jan 2 11:29:59 2008 @@ -318,7 +318,7 @@ if (r->method_number != M_GET) return DECLINED; - ap_set_content_type(r, "text/html"); + ap_set_content_type(r, "text/html; charset=ISO-8859-1"); ap_rputs(DOCTYPE_HTML_3_2 "Server Information\n", r); Modified: httpd/httpd/branches/2.0.x/modules/proxy/proxy_ftp.c URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.0.x/modules/proxy/proxy_ftp.c?rev=608194&r1=608193&r2=608194&view=diff ============================================================================== --- httpd/httpd/branches/2.0.x/modules/proxy/proxy_ftp.c (original) +++ httpd/httpd/branches/2.0.x/modules/proxy/proxy_ftp.c Wed Jan 2 11:29:59 2008 @@ -1702,7 +1702,7 @@ /* set content-type */ if (dirlisting) { - ap_set_content_type(r, "text/html"); + ap_set_content_type(r, "text/html; charset=ISO-8859-1"); } else { if (r->content_type) {