http://svn.apache.org/viewvc?rev=606693&view=rev

       http://svn.apache.org/viewvc?rev=607276&view=rev

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.2.x@608192 13f79535-47bb-0310-9956-ffa450edef68

diff --git a/CHANGES b/CHANGES
index 54c5c38dec2439be77379fb761f44221a392e794..df1a936398450c30e10cd5f98fd58e4999c2f8a4 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -39,6 +39,11 @@ Changes with Apache 2.2.7
   *) mod_disk_cache: Delete temporary files if they cannot be renamed to their
      final name. [Davi Arnaut <davi haxent.com.br>]
 
+  *) Add explicit charset to the output of various modules to work around
+     possible cross-site scripting flaws affecting web browsers that do not
+     derive the response character set as required by  RFC2616.  One of these
+     reported by SecurityReason [Joe Orton]
+
   *) http_protocol: Escape request method in 405 error reporting.
      This has no security impact since the browser cannot be tricked
      into sending arbitrary method strings.  [Jeff Trawick]

diff --git a/STATUS b/STATUS
index 2b0361ea86bef5bacc0b02e67dfe6f43e75b40b7..3ae60194b13014a4d32ae12ff266aea542008166 100644 (file)
--- a/STATUS
+++ b/STATUS
@@ -76,33 +76,6 @@ CURRENT RELEASE NOTES:
 
 RELEASE SHOWSTOPPERS:
 
-   * Various modules: Add explicit charset to the output of various modules to
-     work around possible cross-site scripting flaws affecting web browsers that
-     do not derive the response character set as required by RFC2616.
-      Trunk version of patch:
-         http://svn.apache.org/viewvc?rev=606693&view=rev
-         http://svn.apache.org/viewvc?rev=607276&view=rev
-      Backport version for 2.2.x of patch:
-         http://people.apache.org/~rpluem/patches/utf7_fix_2.2.x.diff
-      +1: rpluem, wrowe, jim
-      wrowe notes; as nice as customization might be, this mirrors the behavior
-      or all RFC conformant browsers, and additional customization can come
-      as a new feature in the future.
-      -1: niq.  We cannot label FTP directory listings as ISO-8859-1 unless
-                we ensure they really are (e.g. some backend platforms will
-                give us UTF-8).  Also mod_dav embeds r->uri in the response:
-                we would need to URL-escape that before HTML-escaping it
-                to ensure that it's ISO-8859-1-compatible.
-      rpluem says: Please see my answers on list. Keep in mind that we do NOT
-                   create a regression by this patch but only enforce browsers
-                   who do not act in an RFC compliant manner to do so.
-                   So please reconsider your -1.
-      wrowe echos rpluem's sentiments, and argues supporting non-RFC clients
-            is not a key purpose of httpd.  However, if the associated non
-            showstopper new-feature will satisfy you, perhaps this should
-            be adopted (c.f. mod_proxy_ftp below).
-      niq says: I withdraw my -1 if we also apply a patch that enables
-                an admin to specify charset in an FTP directory list.
 
 PATCHES ACCEPTED TO BACKPORT FROM TRUNK:
   [ start all new proposals below, under PATCHES PROPOSED. ]

diff --git a/modules/dav/main/mod_dav.c b/modules/dav/main/mod_dav.c
index 9033cad967e25478aebc0a636b87d6cb4bca560c..24699bc0f6e9f018498d8958c1263b4e31ae9dc1 100644 (file)
--- a/modules/dav/main/mod_dav.c
+++ b/modules/dav/main/mod_dav.c
@@ -317,7 +317,7 @@ static int dav_error_response(request_rec *r, int status, const char *body)
     /* ### I really don't think this is needed; gotta test */
     r->status_line = ap_get_status_line(status);
 
-    ap_set_content_type(r, "text/html");
+    ap_set_content_type(r, "text/html; charset=ISO-8859-1");
 
     /* begin the response now... */
     ap_rvputs(r,

diff --git a/modules/generators/mod_info.c b/modules/generators/mod_info.c
index adc34150eee844e80654d9b701753daf13cfbc8e..eb4e0c63761de976188438ffe9e7da0a0dd4ff55 100644 (file)
--- a/modules/generators/mod_info.c
+++ b/modules/generators/mod_info.c
@@ -607,7 +607,7 @@ static int display_info(request_rec * r)
     if (r->method_number != M_GET)
         return DECLINED;
 
-    ap_set_content_type(r, "text/html");
+    ap_set_content_type(r, "text/html; charset=ISO-8859-1");
 
     ap_rputs(DOCTYPE_XHTML_1_0T
              "<html xmlns=\"http://www.w3.org/1999/xhtml\">\n"

diff --git a/modules/ldap/util_ldap.c b/modules/ldap/util_ldap.c
index aba9606b3465a9bc12f9a81a3056bd339b156886..2f6519310b8a7d81c63a9f68a3fce8bd9027a90f 100644 (file)
--- a/modules/ldap/util_ldap.c
+++ b/modules/ldap/util_ldap.c
@@ -111,7 +111,7 @@ static int util_ldap_handler(request_rec *r)
         return DECLINED;
     }
 
-    r->content_type = "text/html";
+    r->content_type = "text/html; charset=ISO-8859-1";
     if (r->header_only)
         return OK;
 

diff --git a/modules/proxy/mod_proxy_balancer.c b/modules/proxy/mod_proxy_balancer.c
index 75c1d3f2e7dbe3d3efeb7283817412ff13ede38c..d2ae88bb3018dda562f5496024ff015b7e41affe 100644 (file)
--- a/modules/proxy/mod_proxy_balancer.c
+++ b/modules/proxy/mod_proxy_balancer.c
@@ -720,7 +720,7 @@ static int balancer_handler(request_rec *r)
         ap_rputs("</httpd:manager>", r);
     }
     else {
-        ap_set_content_type(r, "text/html");
+        ap_set_content_type(r, "text/html; charset=ISO-8859-1");
         ap_rputs(DOCTYPE_HTML_3_2
                  "<html><head><title>Balancer Manager</title></head>\n", r);
         ap_rputs("<body><h1>Load Balancer Manager for ", r);