aboutsummaryrefslogtreecommitdiffstats
path: root/lib/inets/src/http_lib
AgeCommit message (Collapse)Author
2015-11-11inets: Remove debug macros that mimic call traceIngela Anderton Andin
2015-11-11inets: Improve max header size handlingIngela Anderton Andin
The chunked length header should be checked as well as headers present in the chunk trailer part, ignored extensions are counted as header bytes. Also the decode trailer function will stop as soon as the header size is exceed, when that happens.
2015-11-11inets: Terminate gracfully when an invalid chunked length header is encounteredIngela Anderton Andin
Also use integer_to_list/2 and list_to_integer/2 instead of reimplementing it.
2015-09-10inets: httpd - Mend broken fd optionIngela Anderton Andin
2015-06-18Change license text to APLv2Bruce Yinhe
2015-02-03Merge branch 'maint-17' into maintZandra Hird
2015-01-29inets: httpd - Sanity check of content-length headerIngela Anderton Andin
Gracefully handle invalid content-lenght headers instead of crashing in list_to_integer.
2015-01-02Properly parse URI fragmentsAnthony Ramine
This fixes a bug in httpc where redirection URIs could lead to bad requests if they contained fragments.
2014-05-23inets: httpd - Reject incorrect large request lines earlyIngela Anderton Andin
2014-01-13inets: Remove log message as it causes more harm than use at the momentIngela Anderton Andin
2013-08-23Merge branch 'maint-r15' into maint-r16Fredrik Gustafsson
Conflicts: lib/inets/doc/src/notes.xml lib/inets/src/http_lib/http_transport.erl lib/inets/src/inets_app/inets.appup.src lib/inets/vsn.mk lib/ssl/doc/src/notes.xml lib/ssl/src/ssl.appup.src lib/ssl/src/ssl.erl lib/ssl/src/ssl_internal.hrl lib/ssl/src/tls_connection.erl lib/ssl/vsn.mk
2013-08-21[inets, ssl]: make log_alert configurable as option in ssl, SSLLogLevel ↵Fredrik Gustafsson
added as option to inets conf file
2013-06-12Update copyright yearsBjörn-Egil Dahlberg
2013-05-20Remove http_chunk:decode/4 as it is no longer usedMasatake Daimon
http_chunk:decode/4, the side-effecting chunk decoder, was only used by httpc_handler:handle_http_body/2 but now it's completely unused.
2013-03-02Fix http_request:http_headers/1 to send content-length when length is zeroCA Meijer
In R16B01, the http_request:http_headers/1 function removes the content-length field from the HTTP headers if the content length is zero. This results in some (perhaps many) HTTP servers rejecting POSTs and PUTs without data with a 411 status word. From RFC2616, section 14.13: "Any Content-Length greater than or EQUAL to zero is a valid value".
2013-02-20inets httpd: Handle ipfamily option correctly when listning to port 0Ingela Anderton Andin
2013-02-18inets: Improve ssl handlingIngela Anderton Andin
httpc: CTfy test suite httpd: Simplify ssl configuration OTP-10846
2012-08-31Update copyright yearsBjörn-Egil Dahlberg
2012-06-05Update to work with whitespace in exec pathLukas Larsson
OTP-10106 OTP-10107
2012-03-15[inets] The module http_uri now officially supportedMicael Karlberg
The module http_uri now officially supported. Also, the http_uri:parse/1,2 function has been extended with more scheme support and a way to provide your own scheme info. OTP-9983
2012-03-14[inets] Initial proposal of module http_uriMicael Karlberg
This version of the module was provided by Johan Tj�der. It adds support for more methods (more than http and https). OTP-9983
2011-11-15Merge branch 'maint-r14'Micael Karlberg
Conflicts: lib/inets/doc/src/notes.xml lib/inets/src/http_lib/http_uri.erl lib/inets/src/inets_app/inets.appup.src lib/inets/vsn.mk
2011-11-09Initial merge from r13 topic branch. With minimal cleanup.Micael Karlberg
Merge branch 'bmk/inets/httpd/xss_when_erl_encoded/r13/OTP-9655' into bmk/inets/httpd/xss_when_erl_encoded/r14/OTP-9655 Conflicts: lib/inets/doc/src/notes.xml lib/inets/src/http_lib/http_uri.erl lib/inets/src/http_lib/http_util.erl lib/inets/src/http_server/httpd_file.erl lib/inets/src/http_server/httpd_request.erl lib/inets/src/http_server/httpd_request_handler.erl lib/inets/src/http_server/httpd_util.erl lib/inets/src/inets_app/inets.appup.src lib/inets/test/httpc_SUITE.erl lib/inets/test/httpd_SUITE.erl lib/inets/test/httpd_basic_SUITE.erl lib/inets/test/httpd_test_lib.erl lib/inets/vsn.mk
2011-10-26Skip catching hex decode failure.Micael Karlberg
OTP-9655
2011-10-26Fixed hex-decoding.Micael Karlberg
OTP-9655
2011-10-25The XSS prevention methods used was confused if theMicael Karlberg
URL was encoded (hex-encoded). OTP-9655
2011-10-18[httpc] Wrong Host header in IPv6 HTTP requests.Micael Karlberg
When a URI with a IPv6 host is parsed, the brackets that encapsulates the nnn is removed. This value is then supplied as the host header. This can cause problems with some servers. A workaround for this is to use headers_as_is and provide the host header with the requst call To solve this a new option has been added, ipv6_host_with_brackets. This option specifies if the host value of the host header shall include the branckets or not. By default, it does not (as before). OTP-9628
2011-10-12Make return from the parse function conform with:Micael Karlberg
{error, Reason} | {ok, ParsedURL}
2011-09-23Merge branch 'dev' into majorMicael Karlberg
Conflicts: lib/inets/doc/src/notes.xml lib/inets/src/inets_app/inets.appup.src lib/inets/test/httpc_cookie_SUITE.erl lib/inets/vsn.mk
2011-09-15Updated http-server to make sure URLs in error-messagesMicael Karlberg
are URL-encoded. Added support in http-client to use URL-encoding. Also added the missing include directory for the inets application. OTP-8940 [httpd] Prevent XSS in error pages. Prevent user controlled input from being interpreted as HTML in error pages by encoding the reserved HTML characters. Michael Santos OTP-9124
2011-09-06[httpc] Parsing of a cookie expire date should be more forgiving.Micael Karlberg
That is, if the parsing fails, the date should be ignored. Also added support for (yet another) date format: "Tue Jan 01 08:00:01 2036 GMT" OTP-9433
2011-09-05Removed the ossl config option (from both client and server).Micael Karlberg
The ossl option is no longer valid since the old ssl (OpenSSL based ssl variant) has been removed from the ssl app. OTP-9522
2011-06-15SSL with IPv6 now works "in principle".Micael Karlberg
2011-05-30Peer/sockname resolv doesn't work with IPv6 addrs in HTTP.Micael Karlberg
OTP-9343
2011-05-20Update copyright yearsBjörn-Egil Dahlberg
2011-05-12Calling gen_tcp:connect with option {ip, {127,0,0,1}} results in an exit withMicael Karlberg
reason badarg. Neither SSL nor INETS catches this, resulting in crashes with incomprehensible reasons. OTP-9289
2011-04-19Default ssl kind changed to essl (from ossl).Micael Karlberg
2011-04-06Accepting file descriptors (fd) in the config forMicael Karlberg
socket type ip_comm.
2011-03-10Merge branch 'ms/inets-prevent_xss_in_error_pages' into ↵Micael Karlberg
bmk/inets/httpd/prevent_xss_in_error_pages/OTP-9124
2011-03-03Handling encoding of empty chunks.Micael Karlberg
2011-02-22inets: prevent XSS in error pagesMichael Santos
Prevent user controlled input from being interpreted as HTML in error pages by encoding the reserved HTML characters. The reserved character set should be safe for displaying data within the body of HTML pages as outlined here: http://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet Previously, weird URLs were URI encoded in the error page. This worked quite well but the URL would be displayed in the HTML in percent encoded format. There was also a check for URIs that were already escaped (by the browser) that would fail if the browser sent an URI containing a "%", e.g.: w3m "http://localhost:8080/<b>foo</b>?%" Also encode the HTTP method and version, since it's possible they may be manipulated: <b>FOO</b> /index.html HTTP/1.0 GET /index.html <b>foo</b>/1.0 Encode the static messages to prevent characters from being interpreted as HTML such as "heavy load (>~w processes)".
2010-12-01Merge branch 'ia/ssl/test-improvments' into devIngela Anderton Andin
2010-11-30Replaced error report with debug printout.Micael Karlberg
Also added some verbosity (dbg) printouts in the transport module (for ip_comm listen).
2010-11-29URL-encoding - add support in client and more usage in server. AlsoIngela Anderton Andin
added missing include directory.
2010-08-20inets: Patch 1122Micael Karlberg
OTP-8609 [httpc] Made cookie handling more case insensitive. OTP-8610 [httpc|httpd] Some netscape cookie dates are given with a 2-digit year (e.g. 06 = 2006). OTP-8624 [httpd] Added support (again) for the documented debugging features. See the User's Guide Configuration chapter for more info.
2010-06-07OTP-7907: Allow the use of the "new" ssl (essl).Micael Karlberg
OTP-8564: Update deeprication status. OTP-8573: Inets mod_alias URL rewrite.
2010-05-27OTP-8609: Problems processing netscape cookies - expireMicael Karlberg
OTP-8610: Problem processing netscape cookies - date OTP-8624: Documented debug options not handled
2010-05-27OTP-8609: Made cookie handling more case insensitive.Micael Karlberg
OTP-8610: Some netscape cookie dates are given with a 2-digit year.
2010-01-19OTP-8016 [httpc] Several more or less critical fixes: * Initial callMicael Karlberg
between the httpc manager and request handler was synchronous. When the manager starts a new request handler, this is no longer a synchronous operation. Previously, the new request handler made the connection to the server and issuing of the first request (the reason for starting it) in the gen_server init function. If the connection for some reason "took some time", the manager hanged, leaving all other activities by that manager also hanging. As a side-effect of these changes, some modules was also renamed, and a new api module, httpc, has been introduced (the old module, http, is *not* removed, but is now just wrapper for httpc).
2010-01-13OTP-8016, OTP-8056, OTP-8103, OTP-8106, OTP-8312, OTP-8315, OTP-8327, OTP-8349,Micael Karlberg
OTP-8351, OTP-8359 & OTP-8371.