aboutsummaryrefslogtreecommitdiffstats
path: root/lib/inets/src/http_server
AgeCommit message (Collapse)Author
2011-11-15Merge branch 'maint-r14'Micael Karlberg
Conflicts: lib/inets/doc/src/notes.xml lib/inets/src/http_lib/http_uri.erl lib/inets/src/inets_app/inets.appup.src lib/inets/vsn.mk
2011-11-09[httpd] GET request with malformed header date causedMicael Karlberg
server crash (non-fatal) with no reply to client. Will now result in a reply with status code 400. OTP-9674 Merge branch 'bmk/inets/httpd/xss_with_bad_header_date/r14/OTP-9674' into bmk/inets/inets572_integration Conflicts: lib/inets/doc/src/notes.xml lib/inets/src/inets_app/inets.appup.src
2011-11-09Initial merge from r13 topic branch. With minimal cleanup.Micael Karlberg
Merge branch 'bmk/inets/httpd/xss_with_bad_header_date/r13/OTP-9674' into bmk/inets/httpd/xss_with_bad_header_date/r14/OTP-9674 Conflicts: lib/inets/doc/src/notes.xml lib/inets/src/http_server/mod_responsecontrol.erl lib/inets/src/inets_app/inets.appup.src lib/inets/test/httpd_1_1.erl lib/inets/test/httpd_SUITE.erl lib/inets/test/httpd_mod.erl lib/inets/test/httpd_test_lib.erl lib/inets/vsn.mk
2011-11-09Aftermerge cleanup.Micael Karlberg
2011-11-09Initial merge from r13 topic branch. With minimal cleanup.Micael Karlberg
Merge branch 'bmk/inets/httpd/xss_when_erl_encoded/r13/OTP-9655' into bmk/inets/httpd/xss_when_erl_encoded/r14/OTP-9655 Conflicts: lib/inets/doc/src/notes.xml lib/inets/src/http_lib/http_uri.erl lib/inets/src/http_lib/http_util.erl lib/inets/src/http_server/httpd_file.erl lib/inets/src/http_server/httpd_request.erl lib/inets/src/http_server/httpd_request_handler.erl lib/inets/src/http_server/httpd_util.erl lib/inets/src/inets_app/inets.appup.src lib/inets/test/httpc_SUITE.erl lib/inets/test/httpd_SUITE.erl lib/inets/test/httpd_basic_SUITE.erl lib/inets/test/httpd_test_lib.erl lib/inets/vsn.mk
2011-11-01[httpd] GET request with malformed header date causedMicael Karlberg
server crash (non-fatal) with no reply to client. Will now result in a reply with status code 400. OTP-9674
2011-10-26Fixed HTML encode. First *try* to hex decode uri, and thenMicael Karlberg
do the actual html encode. OTP-9655
2011-10-26Fixed hex-decoding.Micael Karlberg
OTP-9655
2011-10-25The XSS prevention methods used was confused if theMicael Karlberg
URL was encoded (hex-encoded). OTP-9655
2011-09-29Merge branch 'dev' into majorBjörn-Egil Dahlberg
* dev: Update copyright years
2011-09-29Update copyright yearsBjörn-Egil Dahlberg
2011-09-23Merge branch 'dev' into majorMicael Karlberg
Conflicts: lib/inets/doc/src/notes.xml lib/inets/src/inets_app/inets.appup.src lib/inets/test/httpc_cookie_SUITE.erl lib/inets/vsn.mk
2011-09-23[httpc] Parsing of a cookie expire date should be more forgiving.Micael Karlberg
That is, if the parsing fails, the date should be ignored. Also added support for (yet another) date format: "Tue Jan 01 08:00:01 2036 GMT". OTP-9433 [httpc] Rewrote cookie parsing. Among other things solving cookie processing from www.expedia.com. OTP-9434 [httpd] Fix httpd directory traversal on Windows. Directory traversal was possible on Windows where backward slash is used as directory separator. Andr�s Veres-Szentkir�lyi. OTP-9561 Merge branch 'bmk/inets/inets571_integration' into dev
2011-09-20Merge branch 'dev' into majorHenrik Nord
Conflicts: erts/aclocal.m4 erts/include/internal/ethread_header_config.h.in
2011-09-19Fixed release notes, version and cosmetics in source.Micael Karlberg
2011-09-19Merge branch 'va/http-win-dir-traversal' into ↵Micael Karlberg
bmk/inets/httpd/windows_dir_traversal/OTP-OTP-9561
2011-09-15Fix more misspellings of compatibilityTuncer Ayaz
2011-09-15Fix misspelling of keptTuncer Ayaz
2011-09-15Updated http-server to make sure URLs in error-messagesMicael Karlberg
are URL-encoded. Added support in http-client to use URL-encoding. Also added the missing include directory for the inets application. OTP-8940 [httpd] Prevent XSS in error pages. Prevent user controlled input from being interpreted as HTML in error pages by encoding the reserved HTML characters. Michael Santos OTP-9124
2011-09-09Merge branch 'bmk/inets/inets58_integration' into majorMicael Karlberg
[httpc] Deprecated interface module <c>http</c> has been removed. It has (long) been replaced by http client interface module httpc. OTP-9359 [httpc|httpd] The old ssl implementation (based on OpenSSL), has been deprecated. The config option that specified usage of this version of the ssl app, *ossl*, has been removed. OTP-9522
2011-09-05Removed the ossl config option (from both client and server).Micael Karlberg
The ossl option is no longer valid since the old ssl (OpenSSL based ssl variant) has been removed from the ssl app. OTP-9522
2011-08-26Fix httpd directory traversal on WindowsAndrás Veres-Szentkirályi
Although the validation in httpd_request works well on platforms using forward slash as directory separator, on Windows systems, this protection can be circumvented using URLs containing backslashes. This way, any file accessible to the user running the server (even those outside the document root) can be read through HTTP. This commit solves the problem by expanding the list of path separators to '/\\'.
2011-08-25Typofix in httpd_file:handle_error messageAndrás Veres-Szentkirályi
2011-05-20Update copyright yearsBjörn-Egil Dahlberg
2011-04-06Accepting file descriptors (fd) in the config forMicael Karlberg
socket type ip_comm.
2011-03-28A slightly more usefull debug printout (including httpd services).Micael Karlberg
2011-03-28Merge branch 'bd/mod_esi_timeout_fix' into bmk/inets/inet56_integrationMicael Karlberg
OTP-9158
2011-03-28Merge branch 'rj/fix-httpd-format' into bmk/inets/inet56_integrationMicael Karlberg
OTP-9157
2011-03-18Merge branch 'bmk/inets/httpd/prevent_xss_in_error_pages/OTP-9124' into ↵Micael Karlberg
bmk/inets/inet56_integration Conflicts: lib/inets/doc/src/notes.xml lib/inets/src/inets_app/inets.appup.src
2011-03-17Fix timeout message generated by mod_esiBernard Duggan
When a mod_esi request times out, the code to send a timeout response was incorrect and generated an internal server error as well as an invalid response line.
2011-03-17Fix log messages formating in httpdRicardo Catalinas Jiménez
2011-02-24Modify mod_esi:deliver/2 to accept binary dataBernard Duggan
This change allows for more efficient delivery of large amounts of data through the mod_esi interface when the handling process has that data in binary format. It avoids the need to convert to list and the extra memory involved in passing that list between processes.
2011-02-22inets: prevent XSS in error pagesMichael Santos
Prevent user controlled input from being interpreted as HTML in error pages by encoding the reserved HTML characters. The reserved character set should be safe for displaying data within the body of HTML pages as outlined here: http://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet Previously, weird URLs were URI encoded in the error page. This worked quite well but the URL would be displayed in the HTML in percent encoded format. There was also a check for URIs that were already escaped (by the browser) that would fail if the browser sent an URI containing a "%", e.g.: w3m "http://localhost:8080/<b>foo</b>?%" Also encode the HTTP method and version, since it's possible they may be manipulated: <b>FOO</b> /index.html HTTP/1.0 GET /index.html <b>foo</b>/1.0 Encode the static messages to prevent characters from being interpreted as HTML such as "heavy load (>~w processes)".
2010-12-16External include filesMicael Karlberg
HTTPD header file install "fixed". That is, the include files in the include dir are installed in the include dir (by the Makefile in the src/inets_app). New wrapper header files (with the same names httpd.hrl and mod_auth.hrl) has been created in the src/http_server dir (which in turn is installed in the src/http_server dir by the Makefile in the src/http_server dir).
2010-11-30Changed file error handling to be consistentIngela Anderton Andin
Internal server error is only used for emfile and enfile all other errors are treated as 404 file not found, except 403 eacces.
2010-11-29URL-encoding - add support in client and more usage in server. AlsoIngela Anderton Andin
added missing include directory.
2010-08-20inets: Patch 1122Micael Karlberg
OTP-8609 [httpc] Made cookie handling more case insensitive. OTP-8610 [httpc|httpd] Some netscape cookie dates are given with a 2-digit year (e.g. 06 = 2006). OTP-8624 [httpd] Added support (again) for the documented debugging features. See the User's Guide Configuration chapter for more info.
2010-08-20inets: Patch 1111Micael Karlberg
OTP-8508 [httpc] Badly formated error reason for errors occuring during initial connec to a servert. Also, the possible error reasons was not properly documented. OTP-8509 [httpd] Issues with ESI erl_script_timeout. </p> *) The "erl_script_timeout" config option is ducumented as a number of seconds. But when parsing the config, in the new format (not a config file), it was handled as if in number of milliseconds. *) When the erl-script-timeout time was exceeded, the server incorrectly marked the answer as sent, thereby leaving client hanging (with an incomplete answer). This has been changed, so that now the socket will be closed.
2010-06-07OTP-7907: Allow the use of the "new" ssl (essl).Micael Karlberg
OTP-8564: Update deeprication status. OTP-8573: Inets mod_alias URL rewrite.
2010-05-27OTP-8609: Problems processing netscape cookies - expireMicael Karlberg
OTP-8610: Problem processing netscape cookies - date OTP-8624: Documented debug options not handled
2010-03-19OTP-8508 & OTP-8509.Micael Karlberg
2010-01-13OTP-8016, OTP-8056, OTP-8103, OTP-8106, OTP-8312, OTP-8315, OTP-8327, OTP-8349,Micael Karlberg
OTP-8351, OTP-8359 & OTP-8371.
2009-11-20The R13B03 release.OTP_R13B03Erlang/OTP