| Age | Commit message (Collapse) | Author |
|---|
|
|
|
causes a case-clause error, as the calender:local_time_to_universal_time_dst/1
can return an empty list, which is not currently handled.
When called with an invalid DST time:
1> httpd_util:rfc1123_date({{2017, 03, 26},{1, 0, 0}}).
** exception error: no case clause matching []
in function httpd_util:rfc1123_date/1 (httpd_util.erl, line 334)
To alleviate this, simply add a clause to handle the empty list and return the
original time in the expected rfc1123 format. This is the approach of other
modules which make use of the calender:local_time_to_universal_time_dst/1
function. The formatted date is then returned without error:
2> httpd_util:rfc1123_date({{2017, 03, 26},{1, 0, 0}}).
"Sun, 26 Mar 2017 01:00:00 GMT"
|
|
|
|
* ia/maint/inets/mod_alias/OTP-13248:
inets: Prepare for release
inets: Traverse all aliases looking for the longest match
inets: Use re instead of inets_regexp
# Conflicts:
# lib/inets/vsn.mk
|
|
|
|
or fails
Also remove legacy debug macros and add help function httpd_util:error_log/2
to avoid code duplication.
|
|
Was already possible for HTTPS. Also remove use of legacy option
inet6fb4. IPv6 standard moved away from beeing able to fallback to IPv4
so this option makes little sense, will use inet (Ipv4) as default instead of
inet6fb4.
|
|
|
|
To enable the HTTP server to run in a virtualized environment,
where there can be more that one server that has the same
bind_address and port, we add a new option profile.
The profile name will be used in concatenation with bind_address and port
to identify the HTTP server instance.
The name profile was chosen as there is a similar concept in the HTTP client
where profile names can be used to instantiate client configurations.
|
|
|
|
Merge branch 'bmk/inets/httpd/xss_when_erl_encoded/r13/OTP-9655' into bmk/inets/httpd/xss_when_erl_encoded/r14/OTP-9655
Conflicts:
lib/inets/doc/src/notes.xml
lib/inets/src/http_lib/http_uri.erl
lib/inets/src/http_lib/http_util.erl
lib/inets/src/http_server/httpd_file.erl
lib/inets/src/http_server/httpd_request.erl
lib/inets/src/http_server/httpd_request_handler.erl
lib/inets/src/http_server/httpd_util.erl
lib/inets/src/inets_app/inets.appup.src
lib/inets/test/httpc_SUITE.erl
lib/inets/test/httpd_SUITE.erl
lib/inets/test/httpd_basic_SUITE.erl
lib/inets/test/httpd_test_lib.erl
lib/inets/vsn.mk
|
|
do the actual html encode.
OTP-9655
|
|
OTP-9655
|
|
URL was encoded (hex-encoded).
OTP-9655
|
|
are URL-encoded. Added support in http-client to use
URL-encoding. Also added the missing include directory
for the inets application.
OTP-8940
[httpd] Prevent XSS in error pages.
Prevent user controlled input from being interpreted
as HTML in error pages by encoding the reserved HTML
characters.
Michael Santos
OTP-9124
|
|
|
|
Prevent user controlled input from being interpreted as HTML in error
pages by encoding the reserved HTML characters. The reserved character
set should be safe for displaying data within the body of HTML pages
as outlined here:
http://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet
Previously, weird URLs were URI encoded in the error page. This worked
quite well but the URL would be displayed in the HTML in percent encoded
format. There was also a check for URIs that were already escaped (by
the browser) that would fail if the browser sent an URI containing a
"%", e.g.:
w3m "http://localhost:8080/<b>foo</b>?%"
Also encode the HTTP method and version, since it's possible they may be
manipulated:
<b>FOO</b> /index.html HTTP/1.0
GET /index.html <b>foo</b>/1.0
Encode the static messages to prevent characters from being interpreted
as HTML such as "heavy load (>~w processes)".
|
|
added missing include directory.
|
|
OTP-8609 [httpc] Made cookie handling more case insensitive.
OTP-8610 [httpc|httpd] Some netscape cookie dates are given with
a 2-digit year (e.g. 06 = 2006).
OTP-8624 [httpd] Added support (again) for the documented debugging
features. See the User's Guide Configuration chapter for
more info.
|
|
OTP-8610: Problem processing netscape cookies - date
OTP-8624: Documented debug options not handled
|
|
|
