Age | Commit message (Collapse) | Author |
|
|
|
The chunked length header should be checked as well as
headers present in the chunk trailer part, ignored extensions are counted
as header bytes. Also the decode trailer function will stop as soon
as the header size is exceed, when that happens.
|
|
Also use integer_to_list/2 and list_to_integer/2 instead of reimplementing it.
|
|
|
|
|
|
|
|
Gracefully handle invalid content-lenght headers instead of
crashing in list_to_integer.
|
|
This fixes a bug in httpc where redirection URIs could lead to bad requests if they
contained fragments.
|
|
|
|
|
|
Conflicts:
lib/inets/doc/src/notes.xml
lib/inets/src/http_lib/http_transport.erl
lib/inets/src/inets_app/inets.appup.src
lib/inets/vsn.mk
lib/ssl/doc/src/notes.xml
lib/ssl/src/ssl.appup.src
lib/ssl/src/ssl.erl
lib/ssl/src/ssl_internal.hrl
lib/ssl/src/tls_connection.erl
lib/ssl/vsn.mk
|
|
added as option to inets conf file
|
|
|
|
http_chunk:decode/4, the side-effecting chunk decoder, was only used
by httpc_handler:handle_http_body/2 but now it's completely unused.
|
|
In R16B01, the http_request:http_headers/1 function removes the content-length
field from the HTTP headers if the content length is zero. This results in
some (perhaps many) HTTP servers rejecting POSTs and PUTs without data with
a 411 status word. From RFC2616, section 14.13: "Any Content-Length greater than
or EQUAL to zero is a valid value".
|
|
|
|
httpc: CTfy test suite
httpd: Simplify ssl configuration OTP-10846
|
|
|
|
OTP-10106
OTP-10107
|
|
The module http_uri now officially supported.
Also, the http_uri:parse/1,2 function has been
extended with more scheme support and a way
to provide your own scheme info.
OTP-9983
|
|
This version of the module was provided by Johan Tj�der.
It adds support for more methods (more than http and https).
OTP-9983
|
|
Conflicts:
lib/inets/doc/src/notes.xml
lib/inets/src/http_lib/http_uri.erl
lib/inets/src/inets_app/inets.appup.src
lib/inets/vsn.mk
|
|
Merge branch 'bmk/inets/httpd/xss_when_erl_encoded/r13/OTP-9655' into bmk/inets/httpd/xss_when_erl_encoded/r14/OTP-9655
Conflicts:
lib/inets/doc/src/notes.xml
lib/inets/src/http_lib/http_uri.erl
lib/inets/src/http_lib/http_util.erl
lib/inets/src/http_server/httpd_file.erl
lib/inets/src/http_server/httpd_request.erl
lib/inets/src/http_server/httpd_request_handler.erl
lib/inets/src/http_server/httpd_util.erl
lib/inets/src/inets_app/inets.appup.src
lib/inets/test/httpc_SUITE.erl
lib/inets/test/httpd_SUITE.erl
lib/inets/test/httpd_basic_SUITE.erl
lib/inets/test/httpd_test_lib.erl
lib/inets/vsn.mk
|
|
OTP-9655
|
|
OTP-9655
|
|
URL was encoded (hex-encoded).
OTP-9655
|
|
When a URI with a IPv6 host is parsed, the brackets that encapsulates
the nnn is removed. This value is then supplied as the host header.
This can cause problems with some servers.
A workaround for this is to use headers_as_is and provide the host
header with the requst call
To solve this a new option has been added, ipv6_host_with_brackets.
This option specifies if the host value of the host header shall include
the branckets or not. By default, it does not (as before).
OTP-9628
|
|
{error, Reason} | {ok, ParsedURL}
|
|
Conflicts:
lib/inets/doc/src/notes.xml
lib/inets/src/inets_app/inets.appup.src
lib/inets/test/httpc_cookie_SUITE.erl
lib/inets/vsn.mk
|
|
are URL-encoded. Added support in http-client to use
URL-encoding. Also added the missing include directory
for the inets application.
OTP-8940
[httpd] Prevent XSS in error pages.
Prevent user controlled input from being interpreted
as HTML in error pages by encoding the reserved HTML
characters.
Michael Santos
OTP-9124
|
|
That is, if the parsing fails, the date should be ignored.
Also added support for (yet another) date format: "Tue Jan 01 08:00:01 2036 GMT"
OTP-9433
|
|
The ossl option is no longer valid since the old ssl (OpenSSL
based ssl variant) has been removed from the ssl app.
OTP-9522
|
|
|
|
OTP-9343
|
|
|
|
reason badarg. Neither SSL nor INETS catches this, resulting in crashes
with incomprehensible reasons.
OTP-9289
|
|
|
|
socket type ip_comm.
|
|
bmk/inets/httpd/prevent_xss_in_error_pages/OTP-9124
|
|
|
|
Prevent user controlled input from being interpreted as HTML in error
pages by encoding the reserved HTML characters. The reserved character
set should be safe for displaying data within the body of HTML pages
as outlined here:
http://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet
Previously, weird URLs were URI encoded in the error page. This worked
quite well but the URL would be displayed in the HTML in percent encoded
format. There was also a check for URIs that were already escaped (by
the browser) that would fail if the browser sent an URI containing a
"%", e.g.:
w3m "http://localhost:8080/<b>foo</b>?%"
Also encode the HTTP method and version, since it's possible they may be
manipulated:
<b>FOO</b> /index.html HTTP/1.0
GET /index.html <b>foo</b>/1.0
Encode the static messages to prevent characters from being interpreted
as HTML such as "heavy load (>~w processes)".
|
|
|
|
Also added some verbosity (dbg) printouts in the
transport module (for ip_comm listen).
|
|
added missing include directory.
|
|
OTP-8609 [httpc] Made cookie handling more case insensitive.
OTP-8610 [httpc|httpd] Some netscape cookie dates are given with
a 2-digit year (e.g. 06 = 2006).
OTP-8624 [httpd] Added support (again) for the documented debugging
features. See the User's Guide Configuration chapter for
more info.
|
|
OTP-8564: Update deeprication status.
OTP-8573: Inets mod_alias URL rewrite.
|
|
OTP-8610: Problem processing netscape cookies - date
OTP-8624: Documented debug options not handled
|
|
OTP-8610: Some netscape cookie dates are given with a 2-digit year.
|
|
between the httpc manager and request handler was synchronous.
When the manager starts a new request handler, this is no longer
a synchronous operation. Previously, the new request handler made
the connection to the server and issuing of the first request
(the reason for starting it) in the gen_server init function. If
the connection for some reason "took some time", the manager
hanged, leaving all other activities by that manager also
hanging. As a side-effect of these changes, some modules was also
renamed, and a new api module, httpc, has been introduced (the
old module, http, is *not* removed, but is now just wrapper for
httpc).
|
|
OTP-8351, OTP-8359 & OTP-8371.
|