From: Takashi Sato Date: Fri, 9 May 2008 09:00:42 +0000 (+0000) Subject: Merge r349917 from trunk: X-Git-Tag: 2.2.9~200 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=29851462863ef81aece9d7960aefc2677843309f;p=thirdparty%2Fapache%2Fhttpd.git Merge r349917 from trunk: Escape the dots in the regular expression. Merge r595288 from trunk: add note on security impact of suppress-error-charset for broken browsers git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.2.x@654730 13f79535-47bb-0310-9956-ffa450edef68 --- diff --git a/docs/manual/env.xml b/docs/manual/env.xml index 9ce24f572a6..41fed5ce43a 100644 --- a/docs/manual/env.xml +++ b/docs/manual/env.xml @@ -370,6 +370,19 @@ set for the redirection text, and these broken browsers will then correctly use that of the destination page.

+ + Security note + +

Sending error pages without a specified character set may + allow a cross-site-scripting attack for existing browsers (MSIE) + which do not follow the HTTP/1.1 specification and attempt to + "guess" the character set from the content. Such browsers can + be easily fooled into using the UTF-7 character set, and UTF-7 + content from input data (such as the request-URI) will not be + escaped by the usual escaping mechanisms designed to prevent + cross-site-scripting attacks.

+ +
force-proxy-request-1.0, proxy-nokeepalive, proxy-sendchunked, proxy-sendcl @@ -436,7 +449,7 @@ CustomLog logs/access_log common env=!image-request in limited circumstances. We assume that all your images are in a directory called /web/images.

-SetEnvIf Referer "^http://www.example.com/" local_referal
+SetEnvIf Referer "^http://www\.example\.com/" local_referal
 # Allow browsers that do not send Referer info
 SetEnvIf Referer "^$" local_referal
 <Directory /web/images>