* Set character set for HTML outputs generated by mod_ldap,

  mod_proxy_balancer, mod_proxy_ftp, mod_info, mod_dav without a character
  set to ISO-8859-1.

Submitted by: jorton

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@606693 13f79535-47bb-0310-9956-ffa450edef68

diff --git a/CHANGES b/CHANGES
index 169ae96e3bc9bdc717ee2e6acaed7d661767ff4f..d5132c2627ca493c4ff0812c458e077ea2df777d 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -2,6 +2,22 @@
 Changes with Apache 2.3.0
 [ When backported to 2.2.x, remove entry from this file ]
 
+  *) mod_ldap: Set character set for status page to ISO-8859-1 to avoid
+     UTF-7 XSS vulnerabilities of certain browsers. [Joe Orton]
+
+  *) mod_proxy_balancer: Set character set for balancer manager to ISO-8859-1
+     to avoid UTF-7 XSS vulnerabilities of certain browsers. [Joe Orton]
+
+  *) mod_proxy_ftp: Set character set for generated FTP directory listing to
+     ISO-8859-1 to avoid UTF-7 XSS vulnerabilities of certain browsers.
+     [Joe Orton]
+
+  *) mod_info: Set character set for info page to ISO-8859-1 to avoid
+     UTF-7 XSS vulnerabilities of certain browsers. [Joe Orton]
+
+  *) mod_dav: Set character set for error pages to ISO-8859-1 to avoid
+     UTF-7 XSS vulnerabilities of certain browsers. [Joe Orton]
+
   *) mod_ssl: Added server name indication support (RFC 4366).
      PR 34607. [Kaspar Brand <asfbugz velox.ch>]
 

diff --git a/modules/dav/main/mod_dav.c b/modules/dav/main/mod_dav.c
index 8a563571524ff98add9d88d5ed8495c5de1814a2..a40959b9e7b12a93682e07c3e4048de806f4ff4d 100644 (file)
--- a/modules/dav/main/mod_dav.c
+++ b/modules/dav/main/mod_dav.c
@@ -314,7 +314,7 @@ static int dav_error_response(request_rec *r, int status, const char *body)
 {
     r->status = status;
 
-    ap_set_content_type(r, "text/html");
+    ap_set_content_type(r, "text/html; charset=ISO-8859-1");
 
     /* begin the response now... */
     ap_rvputs(r,

diff --git a/modules/generators/mod_info.c b/modules/generators/mod_info.c
index 37461fdd220a47549f310b724daa741058ea1772..18f415b3b5ba2edf1e271c0decdbbb1bfc94d0cf 100644 (file)
--- a/modules/generators/mod_info.c
+++ b/modules/generators/mod_info.c
@@ -608,7 +608,7 @@ static int display_info(request_rec * r)
     if (r->method_number != M_GET)
         return DECLINED;
 
-    ap_set_content_type(r, "text/html");
+    ap_set_content_type(r, "text/html; charset=ISO-8859-1");
 
     ap_rputs(DOCTYPE_XHTML_1_0T
              "<html xmlns=\"http://www.w3.org/1999/xhtml\">\n"

diff --git a/modules/ldap/util_ldap.c b/modules/ldap/util_ldap.c
index 5eab8f37314d77bbb3d25a10a51b2cda5f9294fd..ca5c6ffeb6a35208508731fe4bb49b0cba40543e 100644 (file)
--- a/modules/ldap/util_ldap.c
+++ b/modules/ldap/util_ldap.c
@@ -106,7 +106,7 @@ static int util_ldap_handler(request_rec *r)
         return DECLINED;
     }
 
-    ap_set_content_type(r, "text/html");
+    ap_set_content_type(r, "text/html; charset=ISO-8859-1");
 
     if (r->header_only)
         return OK;

diff --git a/modules/proxy/mod_proxy_balancer.c b/modules/proxy/mod_proxy_balancer.c
index 70fd3316060d2019b72d11aac54dbc100a69b0d7..9932e75282735ba3b78d832485c398af1f605a80 100644 (file)
--- a/modules/proxy/mod_proxy_balancer.c
+++ b/modules/proxy/mod_proxy_balancer.c
@@ -753,7 +753,7 @@ static int balancer_handler(request_rec *r)
         ap_rputs("</httpd:manager>", r);
     }
     else {
-        ap_set_content_type(r, "text/html");
+        ap_set_content_type(r, "text/html; charset=ISO-8859-1");
         ap_rputs(DOCTYPE_HTML_3_2
                  "<html><head><title>Balancer Manager</title></head>\n", r);
         ap_rputs("<body><h1>Load Balancer Manager for ", r);

diff --git a/modules/proxy/mod_proxy_ftp.c b/modules/proxy/mod_proxy_ftp.c
index 6d4c63a8c4194c7b2be17b5acf874fc537a42a23..277a0179419bd1921124b5fe9feded39c5ef345c 100644 (file)
--- a/modules/proxy/mod_proxy_ftp.c
+++ b/modules/proxy/mod_proxy_ftp.c
@@ -1691,7 +1691,7 @@ static int proxy_ftp_handler(request_rec *r, proxy_worker *worker,
 
     /* set content-type */
     if (dirlisting) {
-        ap_set_content_type(r, "text/html");
+        ap_set_content_type(r, "text/html; charset=ISO-8859-1");
     }
     else {
         if (r->content_type) {