-*- coding: utf-8 -*-
Changes with Apache 2.0.60
+ *) SECURITY: CVE-2006-5752 (cve.mitre.org)
+ mod_status: Fix a possible XSS attack against a site with a public
+ server-status page and ExtendedStatus enabled, for browsers which
+ perform charset "detection". Reported by Stefan Esser. [Joe Orton]
+
*) mod_ssl: initialize thread locks before initializing the hardware
acceleration library, so the latter can make use of the former.
PR 20951. [<adunn ncipher.com>]
PATCHES ACCEPTED TO BACKPORT FROM TRUNK:
[ start all new proposals below, under PATCHES PROPOSED. ]
- *) SECURITY: CVE-2007-1863 (cve.mitre.org)
+ * SECURITY: CVE-2007-1863 (cve.mitre.org)
mod_cache: Prevent segfault from Cache-Control headers with no
values
Trunk version of patch:
http://svn.apache.org/viewvc?view=rev&rev=520733
+1: wrowe, sctemme, rpluem
- * SECURITY: CVE-2006-5752
- mod_status XSS fix for broken browsers:
- http://svn.apache.org/viewvc?view=rev&rev=549159
- +1: jorton, rpluem, sctemme
-
PATCHES PROPOSED TO BACKPORT FROM TRUNK:
[ please place SVN revisions from trunk here, so it is easy to
identify exactly what the proposed changes are! Add all new
if (r->method_number != M_GET)
return DECLINED;
- ap_set_content_type(r, "text/html");
+ ap_set_content_type(r, "text/html; charset=ISO-8859-1");
/*
* Simple table-driven form data set parser that lets you alter the header
no_table_report = 1;
break;
case STAT_OPT_AUTO:
- ap_set_content_type(r, "text/plain");
+ ap_set_content_type(r, "text/plain; charset=ISO-8859-1");
short_report = 1;
break;
}
ap_escape_html(r->pool,
ws_record->client),
ap_escape_html(r->pool,
- ws_record->request),
+ ap_escape_logitem(r->pool,
+ ws_record->request)),
ap_escape_html(r->pool,
ws_record->vhost));
}
ap_escape_html(r->pool,
ws_record->vhost),
ap_escape_html(r->pool,
- ws_record->request));
+ ap_escape_logitem(r->pool,
+ ws_record->request)));
} /* no_table_report */
} /* for (j...) */
} /* for (i...) */
projects / thirdparty / apache / httpd.git / commitdiff
