You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by mj...@apache.org on 2006/04/19 10:33:22 UTC
svn commit: r395173 - in /httpd/httpd/branches/2.2.x: CHANGES STATUS
modules/http/http_protocol.c
Author: mjc
Date: Wed Apr 19 01:33:19 2006
New Revision: 395173
URL: http://svn.apache.org/viewcvs?rev=395173&view=rev
Log:
http_protocol: Fix escaping of Expect error message
+1: mjc, trawick, rpluem, jim
Modified:
httpd/httpd/branches/2.2.x/CHANGES
httpd/httpd/branches/2.2.x/STATUS
httpd/httpd/branches/2.2.x/modules/http/http_protocol.c
Modified: httpd/httpd/branches/2.2.x/CHANGES
URL: http://svn.apache.org/viewcvs/httpd/httpd/branches/2.2.x/CHANGES?rev=395173&r1=395172&r2=395173&view=diff
==============================================================================
--- httpd/httpd/branches/2.2.x/CHANGES [utf-8] (original)
+++ httpd/httpd/branches/2.2.x/CHANGES [utf-8] Wed Apr 19 01:33:19 2006
@@ -1,6 +1,11 @@
-*- coding: utf-8 -*-
Changes with Apache 2.2.2
+ *) HTML-escape the Expect error message. Not classed as security as
+ an attacker has no way to influence the Expect header a victim will
+ send to a target site. Reported by Thiago Zaninotti
+ <thiango nstalker.com>. [Mark Cox]
+
*) htdbm: Warn the user when adding a plaintext password on a platform
where it wouldn't work with the server (i.e., anywhere that has
crypt()). [Jeff Trawick]
Modified: httpd/httpd/branches/2.2.x/STATUS
URL: http://svn.apache.org/viewcvs/httpd/httpd/branches/2.2.x/STATUS?rev=395173&r1=395172&r2=395173&view=diff
==============================================================================
--- httpd/httpd/branches/2.2.x/STATUS (original)
+++ httpd/httpd/branches/2.2.x/STATUS Wed Apr 19 01:33:19 2006
@@ -71,13 +71,6 @@
RELEASE SHOWSTOPPERS:
- * http_protocol: Fix escaping of Expect error message
- Trunk version of patch:
- http://svn.apache.org/viewcvs?rev=394965&view=rev
- 2.2.x version of patch:
- Trunk version with changed offsets
- +1: mjc, trawick, rpluem, jim
-
PATCHES ACCEPTED TO BACKPORT FROM TRUNK:
[ start all new proposals below, under PATCHES PROPOSED. ]
Modified: httpd/httpd/branches/2.2.x/modules/http/http_protocol.c
URL: http://svn.apache.org/viewcvs/httpd/httpd/branches/2.2.x/modules/http/http_protocol.c?rev=395173&r1=395172&r2=395173&view=diff
==============================================================================
--- httpd/httpd/branches/2.2.x/modules/http/http_protocol.c (original)
+++ httpd/httpd/branches/2.2.x/modules/http/http_protocol.c Wed Apr 19 01:33:19 2006
@@ -996,7 +996,7 @@
"request-header"
"\nfield could not be met by this server.</p>\n"
"<p>The client sent<pre>\n Expect: ",
- apr_table_get(r->headers_in, "Expect"),
+ ap_escape_html(r->pool, apr_table_get(r->headers_in, "Expect")),
"\n</pre>\n"
"but we only allow the 100-continue "
"expectation.</p>\n",