You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by rp...@apache.org on 2007/12/24 12:45:30 UTC

svn commit: r606693 - in /httpd/httpd/trunk: CHANGES modules/dav/main/mod_dav.c modules/generators/mod_info.c modules/ldap/util_ldap.c modules/proxy/mod_proxy_balancer.c modules/proxy/mod_proxy_ftp.c

Author: rpluem
Date: Mon Dec 24 03:45:22 2007
New Revision: 606693

URL: http://svn.apache.org/viewvc?rev=606693&view=rev
Log:
* Set character set for HTML outputs generated by mod_ldap,
  mod_proxy_balancer, mod_proxy_ftp, mod_info, mod_dav without a character
  set to ISO-8859-1.

Submitted by: jorton

Modified:
    httpd/httpd/trunk/CHANGES
    httpd/httpd/trunk/modules/dav/main/mod_dav.c
    httpd/httpd/trunk/modules/generators/mod_info.c
    httpd/httpd/trunk/modules/ldap/util_ldap.c
    httpd/httpd/trunk/modules/proxy/mod_proxy_balancer.c
    httpd/httpd/trunk/modules/proxy/mod_proxy_ftp.c

Modified: httpd/httpd/trunk/CHANGES
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/CHANGES?rev=606693&r1=606692&r2=606693&view=diff
==============================================================================
--- httpd/httpd/trunk/CHANGES [utf-8] (original)
+++ httpd/httpd/trunk/CHANGES [utf-8] Mon Dec 24 03:45:22 2007
@@ -2,6 +2,22 @@
 Changes with Apache 2.3.0
 [ When backported to 2.2.x, remove entry from this file ]
 
+  *) mod_ldap: Set character set for status page to ISO-8859-1 to avoid
+     UTF-7 XSS vulnerabilities of certain browsers. [Joe Orton]
+
+  *) mod_proxy_balancer: Set character set for balancer manager to ISO-8859-1
+     to avoid UTF-7 XSS vulnerabilities of certain browsers. [Joe Orton]
+
+  *) mod_proxy_ftp: Set character set for generated FTP directory listing to
+     ISO-8859-1 to avoid UTF-7 XSS vulnerabilities of certain browsers.
+     [Joe Orton]
+
+  *) mod_info: Set character set for info page to ISO-8859-1 to avoid
+     UTF-7 XSS vulnerabilities of certain browsers. [Joe Orton]
+
+  *) mod_dav: Set character set for error pages to ISO-8859-1 to avoid
+     UTF-7 XSS vulnerabilities of certain browsers. [Joe Orton]
+
   *) mod_ssl: Added server name indication support (RFC 4366).
      PR 34607. [Kaspar Brand <asfbugz velox.ch>]
 

Modified: httpd/httpd/trunk/modules/dav/main/mod_dav.c
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/dav/main/mod_dav.c?rev=606693&r1=606692&r2=606693&view=diff
==============================================================================
--- httpd/httpd/trunk/modules/dav/main/mod_dav.c (original)
+++ httpd/httpd/trunk/modules/dav/main/mod_dav.c Mon Dec 24 03:45:22 2007
@@ -314,7 +314,7 @@
 {
     r->status = status;
 
-    ap_set_content_type(r, "text/html");
+    ap_set_content_type(r, "text/html; charset=ISO-8859-1");
 
     /* begin the response now... */
     ap_rvputs(r,

Modified: httpd/httpd/trunk/modules/generators/mod_info.c
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/generators/mod_info.c?rev=606693&r1=606692&r2=606693&view=diff
==============================================================================
--- httpd/httpd/trunk/modules/generators/mod_info.c (original)
+++ httpd/httpd/trunk/modules/generators/mod_info.c Mon Dec 24 03:45:22 2007
@@ -608,7 +608,7 @@
     if (r->method_number != M_GET)
         return DECLINED;
 
-    ap_set_content_type(r, "text/html");
+    ap_set_content_type(r, "text/html; charset=ISO-8859-1");
 
     ap_rputs(DOCTYPE_XHTML_1_0T
              "<html xmlns=\"http://www.w3.org/1999/xhtml\">\n"

Modified: httpd/httpd/trunk/modules/ldap/util_ldap.c
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ldap/util_ldap.c?rev=606693&r1=606692&r2=606693&view=diff
==============================================================================
--- httpd/httpd/trunk/modules/ldap/util_ldap.c (original)
+++ httpd/httpd/trunk/modules/ldap/util_ldap.c Mon Dec 24 03:45:22 2007
@@ -106,7 +106,7 @@
         return DECLINED;
     }
 
-    ap_set_content_type(r, "text/html");
+    ap_set_content_type(r, "text/html; charset=ISO-8859-1");
 
     if (r->header_only)
         return OK;

Modified: httpd/httpd/trunk/modules/proxy/mod_proxy_balancer.c
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/proxy/mod_proxy_balancer.c?rev=606693&r1=606692&r2=606693&view=diff
==============================================================================
--- httpd/httpd/trunk/modules/proxy/mod_proxy_balancer.c (original)
+++ httpd/httpd/trunk/modules/proxy/mod_proxy_balancer.c Mon Dec 24 03:45:22 2007
@@ -753,7 +753,7 @@
         ap_rputs("</httpd:manager>", r);
     }
     else {
-        ap_set_content_type(r, "text/html");
+        ap_set_content_type(r, "text/html; charset=ISO-8859-1");
         ap_rputs(DOCTYPE_HTML_3_2
                  "<html><head><title>Balancer Manager</title></head>\n", r);
         ap_rputs("<body><h1>Load Balancer Manager for ", r);

Modified: httpd/httpd/trunk/modules/proxy/mod_proxy_ftp.c
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/proxy/mod_proxy_ftp.c?rev=606693&r1=606692&r2=606693&view=diff
==============================================================================
--- httpd/httpd/trunk/modules/proxy/mod_proxy_ftp.c (original)
+++ httpd/httpd/trunk/modules/proxy/mod_proxy_ftp.c Mon Dec 24 03:45:22 2007
@@ -1691,7 +1691,7 @@
 
     /* set content-type */
     if (dirlisting) {
-        ap_set_content_type(r, "text/html");
+        ap_set_content_type(r, "text/html; charset=ISO-8859-1");
     }
     else {
         if (r->content_type) {