http_protocol: Escape request method in 405 error reporting.

This has no security impact since the browser cannot be tricked
into sending arbitrary method strings.

(words from jorton)

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@603346 13f79535-47bb-0310-9956-ffa450edef68

diff --git a/CHANGES b/CHANGES
index 4fbe6a26854a9d726983dfb4f9159c5d92f290e5..ee29e61bac4639938266239d2a217fa1f8c09ef6 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -2,6 +2,10 @@
 Changes with Apache 2.3.0
 [ When backported to 2.2.x, remove entry from this file ]
 
+  *) http_protocol: Escape request method in 405 error reporting.
+     This has no security impact since the browser cannot be tricked
+     into sending arbitrary method strings.  [Jeff Trawick]
+
   *) ApacheMonitor.exe: Introduce --kill argument for use by the
      installer.  This will permit the installation tool to remove
      all running instances before attempting to remove the .exe.

diff --git a/modules/http/http_protocol.c b/modules/http/http_protocol.c
index 71d1e9d1a63e5ef0f3bc79acea1200a93dce01fc..87f3f3079a805b521ad71698e900292cdd9f6148 100644 (file)
--- a/modules/http/http_protocol.c
+++ b/modules/http/http_protocol.c
@@ -913,7 +913,8 @@ static const char *get_canned_error_string(int status,
                            NULL));
     case HTTP_METHOD_NOT_ALLOWED:
         return(apr_pstrcat(p,
-                           "<p>The requested method ", r->method,
+                           "<p>The requested method ",
+                           ap_escape_html(r->pool, r->method),
                            " is not allowed for the URL ",
                            ap_escape_html(r->pool, r->uri),
                            ".</p>\n",