httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Erik Abele <e...@codefaktor.de>
Subject Re: cvs commit: httpd-2.0/docs/error/include top.html
Date Sun, 25 Aug 2002 00:46:58 GMT
Joshua Slive wrote:
> erikabele@apache.org wrote:
> 
>> erikabele    2002/08/24 15:25:16
>>
>>   Modified:    docs/error HTTP_BAD_GATEWAY.html.var
>>                         HTTP_INTERNAL_SERVER_ERROR.html.var
>>                docs/error/include top.html
>>   Log:
>>   Added encoding="none" for the ssi-output of REDIRECT_ERROR_NOTES.
>>   This fixes the output of HTML-tags through the above env-var (e.g.
>>   <p> instead of &lt;p&gt;).
> 
> 
> Hmmm... We need a security-review of this change.  Is it possible in any 
> way for the client to insert something into REDIRECT_ERROR_NOTES?  If 
> so, this change must be reversed, because it opens a 
> Cross-site-scripting vulnerability.

If it is possible for the client, you're right and we will have to be 
very careful. Unfortunately I don't know this too. Hope someone can help.

> Where are the <p> tags coming from, anyway?  I thought ERROR_NOTES was 
> plain text.
> 

For example in proxy-util.c (grep for 'error-notes').

Erik


Mime
View raw message