From 2702f2eeea9e7ef8cf059128014145a3db97705a Mon Sep 17 00:00:00 2001 From: Jim Jagielski Date: Wed, 2 Jan 2008 19:29:59 +0000 Subject: [PATCH] http://svn.apache.org/viewvc?rev=606693&view=rev http://svn.apache.org/viewvc?rev=607276&view=rev git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.0.x@608194 13f79535-47bb-0310-9956-ffa450edef68 --- CHANGES | 5 +++++ STATUS | 10 ---------- modules/dav/main/mod_dav.c | 2 +- modules/experimental/util_ldap.c | 2 +- modules/generators/mod_info.c | 2 +- modules/proxy/proxy_ftp.c | 2 +- 6 files changed, 9 insertions(+), 14 deletions(-) diff --git a/CHANGES b/CHANGES index 7dd99a6ccf2..e55a69a17ad 100644 --- a/CHANGES +++ b/CHANGES @@ -17,6 +17,11 @@ Changes with Apache 2.0.62 shutdown of the server when the MaxClients is higher then 257, in a more responsive manner [Mladen Turk, William Rowe] + *) Add explicit charset to the output of various modules to work around + possible cross-site scripting flaws affecting web browsers that do not + derive the response character set as required by RFC2616. One of these + reported by SecurityReason [Joe Orton] + *) http_protocol: Escape request method in 405 error reporting. This has no security impact since the browser cannot be tricked into sending arbitrary method strings. [Jeff Trawick] diff --git a/STATUS b/STATUS index 7b05229cfcb..1f2d0da30a4 100644 --- a/STATUS +++ b/STATUS @@ -113,16 +113,6 @@ CURRENT RELEASE NOTES: RELEASE SHOWSTOPPERS: - * Various modules: Add explicit charset to the output of various modules to - work around possible cross-site scripting flaws affecting web browsers that - do not derive the response character set as required by RFC2616. - Trunk version of patch: - http://svn.apache.org/viewvc?rev=606693&view=rev - http://svn.apache.org/viewvc?rev=607276&view=rev - Backport version for 2.0.x of patch: - http://people.apache.org/~rpluem/patches/utf7_fix_2.0.x.diff - +1: rpluem, wrowe, jim - PATCHES ACCEPTED TO BACKPORT FROM TRUNK: [ start all new proposals below, under PATCHES PROPOSED. ] diff --git a/modules/dav/main/mod_dav.c b/modules/dav/main/mod_dav.c index 8740c174542..3d3b47bb608 100644 --- a/modules/dav/main/mod_dav.c +++ b/modules/dav/main/mod_dav.c @@ -317,7 +317,7 @@ static int dav_error_response(request_rec *r, int status, const char *body) /* ### I really don't think this is needed; gotta test */ r->status_line = ap_get_status_line(status); - ap_set_content_type(r, "text/html"); + ap_set_content_type(r, "text/html; charset=ISO-8859-1"); /* begin the response now... */ ap_rvputs(r, diff --git a/modules/experimental/util_ldap.c b/modules/experimental/util_ldap.c index a55256d8879..adaccb32420 100644 --- a/modules/experimental/util_ldap.c +++ b/modules/experimental/util_ldap.c @@ -139,7 +139,7 @@ int util_ldap_handler(request_rec *r) return DECLINED; } - r->content_type = "text/html"; + r->content_type = "text/html; charset=ISO-8859-1"; if (r->header_only) return OK; diff --git a/modules/generators/mod_info.c b/modules/generators/mod_info.c index a6973ddb7a9..eb72844232e 100644 --- a/modules/generators/mod_info.c +++ b/modules/generators/mod_info.c @@ -318,7 +318,7 @@ static int display_info(request_rec *r) if (r->method_number != M_GET) return DECLINED; - ap_set_content_type(r, "text/html"); + ap_set_content_type(r, "text/html; charset=ISO-8859-1"); ap_rputs(DOCTYPE_HTML_3_2 "Server Information\n", r); diff --git a/modules/proxy/proxy_ftp.c b/modules/proxy/proxy_ftp.c index c02f0f48e1b..3cf6d31fbb5 100644 --- a/modules/proxy/proxy_ftp.c +++ b/modules/proxy/proxy_ftp.c @@ -1702,7 +1702,7 @@ int ap_proxy_ftp_handler(request_rec *r, proxy_server_conf *conf, /* set content-type */ if (dirlisting) { - ap_set_content_type(r, "text/html"); + ap_set_content_type(r, "text/html; charset=ISO-8859-1"); } else { if (r->content_type) { -- 2.47.2