aboutsummaryrefslogtreecommitdiffstats
path: root/lib/inets/src/http_lib/http_util.erl
AgeCommit message (Collapse)Author
2011-11-09Initial merge from r13 topic branch. With minimal cleanup.Micael Karlberg
Merge branch 'bmk/inets/httpd/xss_when_erl_encoded/r13/OTP-9655' into bmk/inets/httpd/xss_when_erl_encoded/r14/OTP-9655 Conflicts: lib/inets/doc/src/notes.xml lib/inets/src/http_lib/http_uri.erl lib/inets/src/http_lib/http_util.erl lib/inets/src/http_server/httpd_file.erl lib/inets/src/http_server/httpd_request.erl lib/inets/src/http_server/httpd_request_handler.erl lib/inets/src/http_server/httpd_util.erl lib/inets/src/inets_app/inets.appup.src lib/inets/test/httpc_SUITE.erl lib/inets/test/httpd_SUITE.erl lib/inets/test/httpd_basic_SUITE.erl lib/inets/test/httpd_test_lib.erl lib/inets/vsn.mk
2011-10-25The XSS prevention methods used was confused if theMicael Karlberg
URL was encoded (hex-encoded). OTP-9655
2011-09-15Updated http-server to make sure URLs in error-messagesMicael Karlberg
are URL-encoded. Added support in http-client to use URL-encoding. Also added the missing include directory for the inets application. OTP-8940 [httpd] Prevent XSS in error pages. Prevent user controlled input from being interpreted as HTML in error pages by encoding the reserved HTML characters. Michael Santos OTP-9124
2011-09-06[httpc] Parsing of a cookie expire date should be more forgiving.Micael Karlberg
That is, if the parsing fails, the date should be ignored. Also added support for (yet another) date format: "Tue Jan 01 08:00:01 2036 GMT" OTP-9433
2011-05-20Update copyright yearsBjörn-Egil Dahlberg
2011-02-22inets: prevent XSS in error pagesMichael Santos
Prevent user controlled input from being interpreted as HTML in error pages by encoding the reserved HTML characters. The reserved character set should be safe for displaying data within the body of HTML pages as outlined here: http://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet Previously, weird URLs were URI encoded in the error page. This worked quite well but the URL would be displayed in the HTML in percent encoded format. There was also a check for URIs that were already escaped (by the browser) that would fail if the browser sent an URI containing a "%", e.g.: w3m "http://localhost:8080/<b>foo</b>?%" Also encode the HTTP method and version, since it's possible they may be manipulated: <b>FOO</b> /index.html HTTP/1.0 GET /index.html <b>foo</b>/1.0 Encode the static messages to prevent characters from being interpreted as HTML such as "heavy load (>~w processes)".
2010-08-20inets: Patch 1122Micael Karlberg
OTP-8609 [httpc] Made cookie handling more case insensitive. OTP-8610 [httpc|httpd] Some netscape cookie dates are given with a 2-digit year (e.g. 06 = 2006). OTP-8624 [httpd] Added support (again) for the documented debugging features. See the User's Guide Configuration chapter for more info.
2010-05-27OTP-8609: Problems processing netscape cookies - expireMicael Karlberg
OTP-8610: Problem processing netscape cookies - date OTP-8624: Documented debug options not handled
2010-05-27OTP-8609: Made cookie handling more case insensitive.Micael Karlberg
OTP-8610: Some netscape cookie dates are given with a 2-digit year.
2010-01-13OTP-8016, OTP-8056, OTP-8103, OTP-8106, OTP-8312, OTP-8315, OTP-8327, OTP-8349,Micael Karlberg
OTP-8351, OTP-8359 & OTP-8371.
2009-11-20The R13B03 release.OTP_R13B03Erlang/OTP