shutdown of the server when the MaxClients is higher then 257,
in a more responsive manner [Mladen Turk, William Rowe]
+ *) Add explicit charset to the output of various modules to work around
+ possible cross-site scripting flaws affecting web browsers that do not
+ derive the response character set as required by RFC2616. One of these
+ reported by SecurityReason [Joe Orton]
+
*) http_protocol: Escape request method in 405 error reporting.
This has no security impact since the browser cannot be tricked
into sending arbitrary method strings. [Jeff Trawick]
RELEASE SHOWSTOPPERS:
- * Various modules: Add explicit charset to the output of various modules to
- work around possible cross-site scripting flaws affecting web browsers that
- do not derive the response character set as required by RFC2616.
- Trunk version of patch:
- http://svn.apache.org/viewvc?rev=606693&view=rev
- http://svn.apache.org/viewvc?rev=607276&view=rev
- Backport version for 2.0.x of patch:
- http://people.apache.org/~rpluem/patches/utf7_fix_2.0.x.diff
- +1: rpluem, wrowe, jim
-
PATCHES ACCEPTED TO BACKPORT FROM TRUNK:
[ start all new proposals below, under PATCHES PROPOSED. ]
/* ### I really don't think this is needed; gotta test */
r->status_line = ap_get_status_line(status);
- ap_set_content_type(r, "text/html");
+ ap_set_content_type(r, "text/html; charset=ISO-8859-1");
/* begin the response now... */
ap_rvputs(r,
return DECLINED;
}
- r->content_type = "text/html";
+ r->content_type = "text/html; charset=ISO-8859-1";
if (r->header_only)
return OK;
if (r->method_number != M_GET)
return DECLINED;
- ap_set_content_type(r, "text/html");
+ ap_set_content_type(r, "text/html; charset=ISO-8859-1");
ap_rputs(DOCTYPE_HTML_3_2
"<html><head><title>Server Information</title></head>\n", r);
/* set content-type */
if (dirlisting) {
- ap_set_content_type(r, "text/html");
+ ap_set_content_type(r, "text/html; charset=ISO-8859-1");
}
else {
if (r->content_type) {
projects / thirdparty / apache / httpd.git / commitdiff
