httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Justin Erenkrantz <jerenkra...@apache.org>
Subject Re: [PATCH] ServerSignature privacy - option 1
Date Wed, 06 Nov 2002 01:58:28 GMT
--On Tuesday, November 5, 2002 1:38 PM +0000 Francis Daly 
<deva@daoine.org> wrote:

> I don't believe there's a danger of any client-side data appearing
> there, but even so it may be worth wrapping the output of
> ap_server_version() with ap_escape_html() -- although if a webmaster
> chooses to load mod_<blink>, perhaps they shouldn't be helped.  If
> it is wanted, the change is obvious.

Yeah, I'm not too concerned about a CSS attack here because this is 
exactly the same data as emitted by the Server header (which 
shouldn't contain HTML and doesn't have any user-specific data).

> Two patches below: one is for httpd-2.0/server/core.c, which just
> adds (unescaped) ap_get_server_version() to ap_psignature.  Against
> the current CVS version; not compiled, not tested, but it looks
> right to me.

Looks fine.  Committed.  Thanks!  -- justin

Mime
View raw message