httpd-cvs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
Subject svn commit: r654730 - /httpd/httpd/branches/2.2.x/docs/manual/env.xml
Date Fri, 09 May 2008 09:00:42 GMT
Author: takashi
Date: Fri May  9 02:00:42 2008
New Revision: 654730

Merge r349917 from trunk:
Escape the dots in the regular expression.

Merge r595288 from trunk:
add note on security impact of suppress-error-charset
for broken browsers


Modified: httpd/httpd/branches/2.2.x/docs/manual/env.xml
--- httpd/httpd/branches/2.2.x/docs/manual/env.xml (original)
+++ httpd/httpd/branches/2.2.x/docs/manual/env.xml Fri May  9 02:00:42 2008
@@ -370,6 +370,19 @@
     set for the redirection text, and these broken browsers will then correctly
     use that of the destination page.</p>
+    <note type="warning">
+      <title>Security note</title> 
+      <p>Sending error pages without a specified character set may
+      allow a cross-site-scripting attack for existing browsers (MSIE)
+      which do not follow the HTTP/1.1 specification and attempt to
+      "guess" the character set from the content.  Such browsers can
+      be easily fooled into using the UTF-7 character set, and UTF-7
+      content from input data (such as the request-URI) will not be
+      escaped by the usual escaping mechanisms designed to prevent
+      cross-site-scripting attacks.</p>
+    </note>
    <section id="proxy"><title>force-proxy-request-1.0, proxy-nokeepalive, proxy-sendchunked,
@@ -436,7 +449,7 @@
         in limited circumstances. We assume that all your images are in
         a directory called /web/images.</p>
-SetEnvIf Referer "^" local_referal
+SetEnvIf Referer "^http://www\.example\.com/" local_referal
 # Allow browsers that do not send Referer info
 SetEnvIf Referer "^$" local_referal
 &lt;Directory /web/images&gt;

View raw message