]> granicus.if.org Git - apache/commit
projects / apache / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: 7fd6a8c) | patch
*) SECURITY: [CAN-2002-0840] HTML-escape the address produced by
authorWilliam A. Rowe Jr <wrowe@apache.org>
Wed, 2 Oct 2002 21:35:57 +0000 (21:35 +0000)
committerWilliam A. Rowe Jr <wrowe@apache.org>
Wed, 2 Oct 2002 21:35:57 +0000 (21:35 +0000)
commit01b99447729a3d43891997806106be6bec3637ff
tree3f8adf38e27b95bf79c9fa30519bff704a481397tree | snapshot
parent7fd6a8c4507c469a3a2f94004cf2ff7174bab568commit | diff
  *) SECURITY: [CAN-2002-0840] HTML-escape the address produced by
     ap_server_signature() against this cross-site scripting
     vulnerability exposed by the directive 'UseCanonicalName Off'.
     Also HTML-escape the SERVER_NAME environment variable for CGI
     and SSI requests.  It's safe to escape as only the '<', '>',
     and '&' characters are affected, which won't appear in a valid
     hostname.  Reported by Matthew Murphy <mattmurphy@kc.rr.com>.
     [Brian Pane]

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@97064 13f79535-47bb-0310-9956-ffa450edef68
CHANGES diff | blob | history
server/core.c diff | blob | history
server/util_script.c diff | blob | history
Unnamed repository; edit this file 'description' to name the repository.