You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by tr...@apache.org on 2007/12/15 14:32:52 UTC

svn commit: r604426 - in /httpd/httpd/branches/2.0.x: CHANGES STATUS modules/http/http_protocol.c

Author: trawick
Date: Sat Dec 15 05:32:51 2007
New Revision: 604426

URL: http://svn.apache.org/viewvc?rev=604426&view=rev
Log:
merge r603346 from trunk:

  http_protocol: Escape request method in 405 error reporting.
  This has no security impact since the browser cannot be tricked
  into sending arbitrary method strings.

Reviewed by: wrowe, rpluem

Modified:
    httpd/httpd/branches/2.0.x/CHANGES
    httpd/httpd/branches/2.0.x/STATUS
    httpd/httpd/branches/2.0.x/modules/http/http_protocol.c

Modified: httpd/httpd/branches/2.0.x/CHANGES
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.0.x/CHANGES?rev=604426&r1=604425&r2=604426&view=diff
==============================================================================
--- httpd/httpd/branches/2.0.x/CHANGES [utf-8] (original)
+++ httpd/httpd/branches/2.0.x/CHANGES [utf-8] Sat Dec 15 05:32:51 2007
@@ -1,6 +1,10 @@
                                                          -*- coding: utf-8 -*-
 Changes with Apache 2.0.62
 
+  *) http_protocol: Escape request method in 405 error reporting.
+     This has no security impact since the browser cannot be tricked
+     into sending arbitrary method strings.  [Jeff Trawick]
+
   *) http_protocol: Escape request method in 413 error reporting.
      Determined to be not generally exploitable, but a flaw in any case.
      PR 44014 [Victor Stinner <victor.stinner inl.fr>]

Modified: httpd/httpd/branches/2.0.x/STATUS
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.0.x/STATUS?rev=604426&r1=604425&r2=604426&view=diff
==============================================================================
--- httpd/httpd/branches/2.0.x/STATUS (original)
+++ httpd/httpd/branches/2.0.x/STATUS Sat Dec 15 05:32:51 2007
@@ -129,13 +129,6 @@
 PATCHES ACCEPTED TO BACKPORT FROM TRUNK:
   [ start all new proposals below, under PATCHES PROPOSED. ]
 
-  * http_protocol: Escape request method in 405 error reporting.
-    Trunk:
-      http://svn.apache.org/viewvc?view=rev&revision=603346
-    2.0.x:
-      Trunk patch applies.
-    +1: trawick, wrowe, rpluem
-
 PATCHES PROPOSED TO BACKPORT FROM TRUNK:
   [ please place SVN revisions from trunk here, so it is easy to
     identify exactly what the proposed changes are!  Add all new

Modified: httpd/httpd/branches/2.0.x/modules/http/http_protocol.c
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.0.x/modules/http/http_protocol.c?rev=604426&r1=604425&r2=604426&view=diff
==============================================================================
--- httpd/httpd/branches/2.0.x/modules/http/http_protocol.c (original)
+++ httpd/httpd/branches/2.0.x/modules/http/http_protocol.c Sat Dec 15 05:32:51 2007
@@ -2182,7 +2182,8 @@
                            NULL));
     case HTTP_METHOD_NOT_ALLOWED:
         return(apr_pstrcat(p,
-                           "<p>The requested method ", r->method,
+                           "<p>The requested method ",
+                           ap_escape_html(r->pool, r->method),
                            " is not allowed for the URL ",
                            ap_escape_html(r->pool, r->uri),
                            ".</p>\n",