You are viewing a plain text version of this content. The canonical link for it is here.

Posted to cvs@httpd.apache.org by rj...@apache.org on 2013/02/15 20:28:26 UTC

svn commit: r1446736 - /httpd/httpd/branches/2.2.x/STATUS

Author: rjung
Date: Fri Feb 15 19:28:26 2013
New Revision: 1446736

URL: http://svn.apache.org/r1446736
Log:
Comment

Modified:
    httpd/httpd/branches/2.2.x/STATUS

Modified: httpd/httpd/branches/2.2.x/STATUS
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.2.x/STATUS?rev=1446736&r1=1446735&r2=1446736&view=diff
==============================================================================
--- httpd/httpd/branches/2.2.x/STATUS (original)
+++ httpd/httpd/branches/2.2.x/STATUS Fri Feb 15 19:28:26 2013
@@ -204,6 +204,11 @@ PATCHES PROPOSED TO BACKPORT FROM TRUNK:
      +1: rjung
      rpluem says: Now t/security/CVE-2005-3352.t fails. Not sure if this is a real
      regression or if just the test is wrong, but this should be investigated.
+     rjung: The test sends a Referer '">http://fish/'.
+            The original code returns '<a href="http://IP/&quot;&gt;http://fish/">'
+            The patched code returns  '<a href="http://IP/%22%3ehttp://fish/">'
+            This seems to be even better IMHO. 2.4 also returns the percent encoded
+            variant, so the test should fail there as well.
 
 PATCHES/ISSUES THAT ARE STALLED