From: Jim Jagielski <jim@apache.org>
Date: Wed, 2 Jan 2008 19:26:59 +0000 (+0000)
Subject:        http://svn.apache.org/viewvc?rev=606693&view=rev
X-Git-Tag: 2.2.7~9
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=c9b1d06d54428da8468ede9273032dc71fd1c881;p=thirdparty%2Fapache%2Fhttpd.git

   http://svn.apache.org/viewvc?rev=606693&view=rev
       http://svn.apache.org/viewvc?rev=607276&view=rev



git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.2.x@608192 13f79535-47bb-0310-9956-ffa450edef68
---

diff --git a/CHANGES b/CHANGES
index 54c5c38dec2..df1a9363984 100644
--- a/CHANGES
+++ b/CHANGES
@@ -39,6 +39,11 @@ Changes with Apache 2.2.7
   *) mod_disk_cache: Delete temporary files if they cannot be renamed to their
      final name. [Davi Arnaut <davi haxent.com.br>]
 
+  *) Add explicit charset to the output of various modules to work around
+     possible cross-site scripting flaws affecting web browsers that do not
+     derive the response character set as required by  RFC2616.  One of these
+     reported by SecurityReason [Joe Orton]
+
   *) http_protocol: Escape request method in 405 error reporting.
      This has no security impact since the browser cannot be tricked
      into sending arbitrary method strings.  [Jeff Trawick]
diff --git a/STATUS b/STATUS
index 2b0361ea86b..3ae60194b13 100644
--- a/STATUS
+++ b/STATUS
@@ -76,33 +76,6 @@ CURRENT RELEASE NOTES:
 
 RELEASE SHOWSTOPPERS:
 
-   * Various modules: Add explicit charset to the output of various modules to
-     work around possible cross-site scripting flaws affecting web browsers that
-     do not derive the response character set as required by RFC2616.
-      Trunk version of patch:
-         http://svn.apache.org/viewvc?rev=606693&view=rev
-         http://svn.apache.org/viewvc?rev=607276&view=rev
-      Backport version for 2.2.x of patch:
-         http://people.apache.org/~rpluem/patches/utf7_fix_2.2.x.diff
-      +1: rpluem, wrowe, jim
-      wrowe notes; as nice as customization might be, this mirrors the behavior
-      or all RFC conformant browsers, and additional customization can come
-      as a new feature in the future.
-      -1: niq.  We cannot label FTP directory listings as ISO-8859-1 unless
-                we ensure they really are (e.g. some backend platforms will
-                give us UTF-8).  Also mod_dav embeds r->uri in the response:
-                we would need to URL-escape that before HTML-escaping it
-                to ensure that it's ISO-8859-1-compatible.
-      rpluem says: Please see my answers on list. Keep in mind that we do NOT
-                   create a regression by this patch but only enforce browsers
-                   who do not act in an RFC compliant manner to do so.
-                   So please reconsider your -1.
-      wrowe echos rpluem's sentiments, and argues supporting non-RFC clients
-            is not a key purpose of httpd.  However, if the associated non
-            showstopper new-feature will satisfy you, perhaps this should
-            be adopted (c.f. mod_proxy_ftp below).
-      niq says: I withdraw my -1 if we also apply a patch that enables
-                an admin to specify charset in an FTP directory list.
 
 PATCHES ACCEPTED TO BACKPORT FROM TRUNK:
   [ start all new proposals below, under PATCHES PROPOSED. ]
diff --git a/modules/dav/main/mod_dav.c b/modules/dav/main/mod_dav.c
index 9033cad967e..24699bc0f6e 100644
--- a/modules/dav/main/mod_dav.c
+++ b/modules/dav/main/mod_dav.c
@@ -317,7 +317,7 @@ static int dav_error_response(request_rec *r, int status, const char *body)
     /* ### I really don't think this is needed; gotta test */
     r->status_line = ap_get_status_line(status);
 
-    ap_set_content_type(r, "text/html");
+    ap_set_content_type(r, "text/html; charset=ISO-8859-1");
 
     /* begin the response now... */
     ap_rvputs(r,
diff --git a/modules/generators/mod_info.c b/modules/generators/mod_info.c
index adc34150eee..eb4e0c63761 100644
--- a/modules/generators/mod_info.c
+++ b/modules/generators/mod_info.c
@@ -607,7 +607,7 @@ static int display_info(request_rec * r)
     if (r->method_number != M_GET)
         return DECLINED;
 
-    ap_set_content_type(r, "text/html");
+    ap_set_content_type(r, "text/html; charset=ISO-8859-1");
 
     ap_rputs(DOCTYPE_XHTML_1_0T
              "<html xmlns=\"http://www.w3.org/1999/xhtml\">\n"
diff --git a/modules/ldap/util_ldap.c b/modules/ldap/util_ldap.c
index aba9606b346..2f6519310b8 100644
--- a/modules/ldap/util_ldap.c
+++ b/modules/ldap/util_ldap.c
@@ -111,7 +111,7 @@ static int util_ldap_handler(request_rec *r)
         return DECLINED;
     }
 
-    r->content_type = "text/html";
+    r->content_type = "text/html; charset=ISO-8859-1";
     if (r->header_only)
         return OK;
 
diff --git a/modules/proxy/mod_proxy_balancer.c b/modules/proxy/mod_proxy_balancer.c
index 75c1d3f2e7d..d2ae88bb301 100644
--- a/modules/proxy/mod_proxy_balancer.c
+++ b/modules/proxy/mod_proxy_balancer.c
@@ -720,7 +720,7 @@ static int balancer_handler(request_rec *r)
         ap_rputs("</httpd:manager>", r);
     }
     else {
-        ap_set_content_type(r, "text/html");
+        ap_set_content_type(r, "text/html; charset=ISO-8859-1");
         ap_rputs(DOCTYPE_HTML_3_2
                  "<html><head><title>Balancer Manager</title></head>\n", r);
         ap_rputs("<body><h1>Load Balancer Manager for ", r);