You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by tr...@apache.org on 2007/12/11 21:08:14 UTC
svn commit: r603346 - in /httpd/httpd/trunk: CHANGES
modules/http/http_protocol.c
Author: trawick
Date: Tue Dec 11 12:08:12 2007
New Revision: 603346
URL: http://svn.apache.org/viewvc?rev=603346&view=rev
Log:
http_protocol: Escape request method in 405 error reporting.
This has no security impact since the browser cannot be tricked
into sending arbitrary method strings.
(words from jorton)
Modified:
httpd/httpd/trunk/CHANGES
httpd/httpd/trunk/modules/http/http_protocol.c
Modified: httpd/httpd/trunk/CHANGES
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/CHANGES?rev=603346&r1=603345&r2=603346&view=diff
==============================================================================
--- httpd/httpd/trunk/CHANGES [utf-8] (original)
+++ httpd/httpd/trunk/CHANGES [utf-8] Tue Dec 11 12:08:12 2007
@@ -2,6 +2,10 @@
Changes with Apache 2.3.0
[ When backported to 2.2.x, remove entry from this file ]
+ *) http_protocol: Escape request method in 405 error reporting.
+ This has no security impact since the browser cannot be tricked
+ into sending arbitrary method strings. [Jeff Trawick]
+
*) ApacheMonitor.exe: Introduce --kill argument for use by the
installer. This will permit the installation tool to remove
all running instances before attempting to remove the .exe.
Modified: httpd/httpd/trunk/modules/http/http_protocol.c
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/http/http_protocol.c?rev=603346&r1=603345&r2=603346&view=diff
==============================================================================
--- httpd/httpd/trunk/modules/http/http_protocol.c (original)
+++ httpd/httpd/trunk/modules/http/http_protocol.c Tue Dec 11 12:08:12 2007
@@ -913,7 +913,8 @@
NULL));
case HTTP_METHOD_NOT_ALLOWED:
return(apr_pstrcat(p,
- "<p>The requested method ", r->method,
+ "<p>The requested method ",
+ ap_escape_html(r->pool, r->method),
" is not allowed for the URL ",
ap_escape_html(r->pool, r->uri),
".</p>\n",