httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Rainer Jung <rainer.j...@kippdata.de>
Subject Re: Push for 2.4.4
Date Sat, 15 Dec 2012 14:02:10 GMT
On 12.12.2012 14:00, Jim Jagielski wrote:
> We have just a handful of backports in STATUS, and most are
> awaiting just a single additional +1 to be approved.
> 
> Let's push on clearing STATUS and getting a 2.4.4 out before
> the Christmas holiday...

Test suite for 2.4 at least for my Solaris 10 build with reallyall
modules and recent APR 1.4.6 APU 1.5.1 currently looks not to bad.

Only one failure after fixing another broken test:

# Failed test 2 in t/security/CVE-2005-3352.t at line 18
t/security/CVE-2005-3352.t ..
1..2
...
ok 1
# testing : referer was escaped
# expected: (?^:\&quot)
# received: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
# <html><head>
# <title>Menu for /security/CVE-2005-3352.map</title>
# </head><body>
# <h1>Menu for /security/CVE-2005-3352.map</h1>
# <hr />
#
# <pre>(Default) <a
href="http://localhost:8529/security/%22%3ehttp://fish/">Go Back</a></pre>
#
#
# </body>
# </html>
not ok 2

The referer it sent was: ">http://fish/

It seems the test expected the '"' to get encoded as &quot; and instead
it received a percent encoding. Not sure whether the behavior or the
test is broken.

The change was introduced by r1418941 (trunk r1413732), where in this
specific case ap_escape_html() was replaced by ap_escape_uri().

Regards,

Rainer

Mime
View raw message