http_protocol: Escape request method in 405 error reporting.
This has no security impact since the browser cannot be tricked
into sending arbitrary method strings.
Reviewed by: wrowe, rpluem
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.0.x@604426
13f79535-47bb-0310-9956-
ffa450edef68
-*- coding: utf-8 -*-
Changes with Apache 2.0.62
+ *) http_protocol: Escape request method in 405 error reporting.
+ This has no security impact since the browser cannot be tricked
+ into sending arbitrary method strings. [Jeff Trawick]
+
*) http_protocol: Escape request method in 413 error reporting.
Determined to be not generally exploitable, but a flaw in any case.
PR 44014 [Victor Stinner <victor.stinner inl.fr>]
PATCHES ACCEPTED TO BACKPORT FROM TRUNK:
[ start all new proposals below, under PATCHES PROPOSED. ]
- * http_protocol: Escape request method in 405 error reporting.
- Trunk:
- http://svn.apache.org/viewvc?view=rev&revision=603346
- 2.0.x:
- Trunk patch applies.
- +1: trawick, wrowe, rpluem
-
PATCHES PROPOSED TO BACKPORT FROM TRUNK:
[ please place SVN revisions from trunk here, so it is easy to
identify exactly what the proposed changes are! Add all new
NULL));
case HTTP_METHOD_NOT_ALLOWED:
return(apr_pstrcat(p,
- "<p>The requested method ", r->method,
+ "<p>The requested method ",
+ ap_escape_html(r->pool, r->method),
" is not allowed for the URL ",
ap_escape_html(r->pool, r->uri),
".</p>\n",
projects / thirdparty / apache / httpd.git / commitdiff
