Age | Commit message (Collapse) | Author |
|
OTP-10106
OTP-10107
|
|
|
|
|
|
bmk/inets/inets59_integration
|
|
Added verbosity printouts to detect error reason for
file access error on windows.
|
|
Added ability to configure the server software
header field (with the server_tokens config option).
OTP-9805
|
|
|
|
|
|
bmk/inets/inets58_integration2
|
|
Also fixed cookie_header/3 and updated documented
accordingly. Also added documentation for undocumented
URI parse option.
|
|
bmk/inets/inets58_integration2
|
|
size as list of numbers. This list was actually the size as a string,
e.g. "123", written with the control sequence ~w. This has now been
corrected so that any string is converted to an integer (if possible).
OTP-9733
|
|
|
|
Garrett Smith
OTP-9715
Merge branch 'gs/mod_log-fix' into bmk/inets/httpd/content_len_in_mod_log/OTP-9715
|
|
Conflicts:
lib/inets/doc/src/notes.xml
lib/inets/src/http_lib/http_uri.erl
lib/inets/src/inets_app/inets.appup.src
lib/inets/vsn.mk
|
|
server crash (non-fatal) with no reply to client. Will now
result in a reply with status code 400.
OTP-9674
Merge branch 'bmk/inets/httpd/xss_with_bad_header_date/r14/OTP-9674' into bmk/inets/inets572_integration
Conflicts:
lib/inets/doc/src/notes.xml
lib/inets/src/inets_app/inets.appup.src
|
|
Merge branch 'bmk/inets/httpd/xss_with_bad_header_date/r13/OTP-9674' into bmk/inets/httpd/xss_with_bad_header_date/r14/OTP-9674
Conflicts:
lib/inets/doc/src/notes.xml
lib/inets/src/http_server/mod_responsecontrol.erl
lib/inets/src/inets_app/inets.appup.src
lib/inets/test/httpd_1_1.erl
lib/inets/test/httpd_SUITE.erl
lib/inets/test/httpd_mod.erl
lib/inets/test/httpd_test_lib.erl
lib/inets/vsn.mk
|
|
|
|
Merge branch 'bmk/inets/httpd/xss_when_erl_encoded/r13/OTP-9655' into bmk/inets/httpd/xss_when_erl_encoded/r14/OTP-9655
Conflicts:
lib/inets/doc/src/notes.xml
lib/inets/src/http_lib/http_uri.erl
lib/inets/src/http_lib/http_util.erl
lib/inets/src/http_server/httpd_file.erl
lib/inets/src/http_server/httpd_request.erl
lib/inets/src/http_server/httpd_request_handler.erl
lib/inets/src/http_server/httpd_util.erl
lib/inets/src/inets_app/inets.appup.src
lib/inets/test/httpc_SUITE.erl
lib/inets/test/httpd_SUITE.erl
lib/inets/test/httpd_basic_SUITE.erl
lib/inets/test/httpd_test_lib.erl
lib/inets/vsn.mk
|
|
server crash (non-fatal) with no reply to client. Will
now result in a reply with status code 400.
OTP-9674
|
|
do the actual html encode.
OTP-9655
|
|
OTP-9655
|
|
URL was encoded (hex-encoded).
OTP-9655
|
|
* dev:
Update copyright years
|
|
|
|
mod_log uses content length from response headers when
logging transfer length, which is a string. It needs to
be converted to an integer when logged.
|
|
Conflicts:
lib/inets/doc/src/notes.xml
lib/inets/src/inets_app/inets.appup.src
lib/inets/test/httpc_cookie_SUITE.erl
lib/inets/vsn.mk
|
|
That is, if the parsing fails, the date should be ignored.
Also added support for (yet another) date format:
"Tue Jan 01 08:00:01 2036 GMT".
OTP-9433
[httpc] Rewrote cookie parsing. Among other things solving
cookie processing from www.expedia.com.
OTP-9434
[httpd] Fix httpd directory traversal on Windows.
Directory traversal was possible on Windows where
backward slash is used as directory separator.
Andr�s Veres-Szentkir�lyi.
OTP-9561
Merge branch 'bmk/inets/inets571_integration' into dev
|
|
Conflicts:
erts/aclocal.m4
erts/include/internal/ethread_header_config.h.in
|
|
|
|
bmk/inets/httpd/windows_dir_traversal/OTP-OTP-9561
|
|
|
|
|
|
are URL-encoded. Added support in http-client to use
URL-encoding. Also added the missing include directory
for the inets application.
OTP-8940
[httpd] Prevent XSS in error pages.
Prevent user controlled input from being interpreted
as HTML in error pages by encoding the reserved HTML
characters.
Michael Santos
OTP-9124
|
|
[httpc] Deprecated interface module <c>http</c> has been removed.
It has (long) been replaced by http client interface module httpc.
OTP-9359
[httpc|httpd] The old ssl implementation (based on OpenSSL),
has been deprecated. The config option that specified usage of
this version of the ssl app, *ossl*, has been removed.
OTP-9522
|
|
The ossl option is no longer valid since the old ssl (OpenSSL
based ssl variant) has been removed from the ssl app.
OTP-9522
|
|
Although the validation in httpd_request works well on platforms using
forward slash as directory separator, on Windows systems, this
protection can be circumvented using URLs containing backslashes.
This way, any file accessible to the user running the server (even
those outside the document root) can be read through HTTP. This commit
solves the problem by expanding the list of path separators to '/\\'.
|
|
|
|
|
|
socket type ip_comm.
|
|
|
|
OTP-9158
|
|
OTP-9157
|
|
bmk/inets/inet56_integration
Conflicts:
lib/inets/doc/src/notes.xml
lib/inets/src/inets_app/inets.appup.src
|
|
When a mod_esi request times out, the code to send a timeout response
was incorrect and generated an internal server error as well as an invalid
response line.
|
|
|
|
This change allows for more efficient delivery of large amounts of
data through the mod_esi interface when the handling process has that
data in binary format. It avoids the need to convert to list and the
extra memory involved in passing that list between processes.
|
|
Prevent user controlled input from being interpreted as HTML in error
pages by encoding the reserved HTML characters. The reserved character
set should be safe for displaying data within the body of HTML pages
as outlined here:
http://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet
Previously, weird URLs were URI encoded in the error page. This worked
quite well but the URL would be displayed in the HTML in percent encoded
format. There was also a check for URIs that were already escaped (by
the browser) that would fail if the browser sent an URI containing a
"%", e.g.:
w3m "http://localhost:8080/<b>foo</b>?%"
Also encode the HTTP method and version, since it's possible they may be
manipulated:
<b>FOO</b> /index.html HTTP/1.0
GET /index.html <b>foo</b>/1.0
Encode the static messages to prevent characters from being interpreted
as HTML such as "heavy load (>~w processes)".
|
|
HTTPD header file install "fixed". That is, the include files in the
include dir are installed in the include dir (by the Makefile in the
src/inets_app). New wrapper header files (with the same names
httpd.hrl and mod_auth.hrl) has been created in the src/http_server
dir (which in turn is installed in the src/http_server dir by the
Makefile in the src/http_server dir).
|
|
Internal server error is only used for emfile and enfile all
other errors are treated as 404 file not found, except 403 eacces.
|