From: Jeff Trawick Date: Tue, 11 Dec 2007 20:08:12 +0000 (+0000) Subject: http_protocol: Escape request method in 405 error reporting. X-Git-Tag: 2.3.0~1150 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=037475eaf9be210b124eef519ceaef2af102d731;p=thirdparty%2Fapache%2Fhttpd.git http_protocol: Escape request method in 405 error reporting. This has no security impact since the browser cannot be tricked into sending arbitrary method strings. (words from jorton) git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@603346 13f79535-47bb-0310-9956-ffa450edef68 --- diff --git a/CHANGES b/CHANGES index 4fbe6a26854..ee29e61bac4 100644 --- a/CHANGES +++ b/CHANGES @@ -2,6 +2,10 @@ Changes with Apache 2.3.0 [ When backported to 2.2.x, remove entry from this file ] + *) http_protocol: Escape request method in 405 error reporting. + This has no security impact since the browser cannot be tricked + into sending arbitrary method strings. [Jeff Trawick] + *) ApacheMonitor.exe: Introduce --kill argument for use by the installer. This will permit the installation tool to remove all running instances before attempting to remove the .exe. diff --git a/modules/http/http_protocol.c b/modules/http/http_protocol.c index 71d1e9d1a63..87f3f3079a8 100644 --- a/modules/http/http_protocol.c +++ b/modules/http/http_protocol.c @@ -913,7 +913,8 @@ static const char *get_canned_error_string(int status, NULL)); case HTTP_METHOD_NOT_ALLOWED: return(apr_pstrcat(p, - "

The requested method ", r->method, + "

The requested method ", + ap_escape_html(r->pool, r->method), " is not allowed for the URL ", ap_escape_html(r->pool, r->uri), ".

\n",