Age | Commit message (Collapse) | Author |
|
Prevent user controlled input from being interpreted
as HTML in error pages by encoding the reserved HTML
characters.
|
|
Prevent user controlled input from being interpreted as HTML in error
pages by encoding the reserved HTML characters. The reserved character
set should be safe for displaying data within the body of HTML pages
as outlined here:
http://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet
Previously, weird URLs were URI encoded in the error page. This worked
quite well but the URL would be displayed in the HTML in percent encoded
format. There was also a check for URIs that were already escaped (by
the browser) that would fail if the browser sent an URI containing a
"%", e.g.:
w3m "http://localhost:8080/<b>foo</b>?%"
Also encode the HTTP method and version, since it's possible they may be
manipulated:
<b>FOO</b> /index.html HTTP/1.0
GET /index.html <b>foo</b>/1.0
Encode the static messages to prevent characters from being interpreted
as HTML such as "heavy load (>~w processes)".
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
added missing include directory.
|
|
As the web-server uses the option ipfamily
with value, inet6fb4, so should the client.
Also some make cleanup (testing for TAR.exclude
in data dirs before using).
Header in vsn.mk file also missing for some reason!
|
|
* maint-r13:
snmp: Patch 1130
inets: Patch 1129
ssh: Patch 1127
ssh: Patch 1126
Conflicts:
lib/inets/doc/src/notes.xml
lib/inets/src/inets_app/inets.appup.src
lib/inets/vsn.mk
lib/snmp/vsn.mk
lib/ssh/doc/src/notes.xml
lib/ssh/src/ssh.appup.src
lib/ssh/vsn.mk
|
|
OTP-8739 [httpc] If a request times out (not connect timeout), the
handler process exited (normal) but neglected to inform
the manager process. For this reason, the manager did not
clean up the request table, resulting in a memory leak.
Also the manager did not create a monitor for the handler,
so in an unforseen handler crash, this could also create
a memory leak.
OTP-8741 The service tftp was spelled wrong in documentation and
in some parts of the code. It should be tftp.
OTP-8742 [httpc] Replaced the old http client api module (http) with
the new, httpc in the users guide.
|
|
OTP-8609 [httpc] Made cookie handling more case insensitive.
OTP-8610 [httpc|httpd] Some netscape cookie dates are given with
a 2-digit year (e.g. 06 = 2006).
OTP-8624 [httpd] Added support (again) for the documented debugging
features. See the User's Guide Configuration chapter for
more info.
|
|
OTP-8564: Update deprecated status.
OTP-8573: Inets mod_alias URL rewrite.
|
|
OTP-8564: Update deeprication status.
OTP-8573: Inets mod_alias URL rewrite.
|
|
OTP-8610: Some netscape cookie dates are given with a 2-digit year.
|
|
OTP-8431: [email protected]
|
|
between the httpc manager and request handler was synchronous.
When the manager starts a new request handler, this is no longer
a synchronous operation. Previously, the new request handler made
the connection to the server and issuing of the first request
(the reason for starting it) in the gen_server init function. If
the connection for some reason "took some time", the manager
hanged, leaving all other activities by that manager also
hanging. As a side-effect of these changes, some modules was also
renamed, and a new api module, httpc, has been introduced (the
old module, http, is *not* removed, but is now just wrapper for
httpc).
|
|
OTP-8351, OTP-8359 & OTP-8371.
|
|
OTP-8351, OTP-8359 & OTP-8371.
|
|
OTP-8351, OTP-8359 & OTP-8371.
|
|
OTP-8351, OTP-8359 & OTP-8371.
|