You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by rp...@apache.org on 2013/02/16 19:27:36 UTC
svn commit: r1446921 - /httpd/httpd/branches/2.2.x/STATUS
Author: rpluem
Date: Sat Feb 16 18:27:36 2013
New Revision: 1446921
URL: http://svn.apache.org/r1446921
Log:
* Withdraw comment and vote as test was fixed in r1446920 to expect URI encode referer instead of HTML escape one.
Modified:
httpd/httpd/branches/2.2.x/STATUS
Modified: httpd/httpd/branches/2.2.x/STATUS
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.2.x/STATUS?rev=1446921&r1=1446920&r2=1446921&view=diff
==============================================================================
--- httpd/httpd/branches/2.2.x/STATUS (original)
+++ httpd/httpd/branches/2.2.x/STATUS Sat Feb 16 18:27:36 2013
@@ -201,15 +201,7 @@ PATCHES PROPOSED TO BACKPORT FROM TRUNK:
2.4.x patch: http://svn.apache.org/viewvc?view=revision&revision=1418941
http://svn.apache.org/viewvc?view=revision&revision=1425750
2.2.x patch: http://people.apache.org/~rjung/patches/host-and-uri-escaping-2_2.patch
- +1: rjung
- rpluem says: Now t/security/CVE-2005-3352.t fails. Not sure if this is a real
- regression or if just the test is wrong, but this should be investigated.
- rjung: The test sends a Referer '">http://fish/'.
- The original code returns '<a href="http://IP/">http://fish/">'
- The patched code returns '<a href="http://IP/%22%3ehttp://fish/">'
- This seems to be even better IMHO. 2.4 also returns the percent encoded
- variant, so the test should fail there as well.
- rpluem replies: So I guess the test should be fixed.
+ +1: rjung, rpluem
PATCHES/ISSUES THAT ARE STALLED