Age | Commit message (Collapse) | Author |
|
|
|
server crash (non-fatal) with no reply to client. Will now
result in a reply with status code 400.
OTP-9674
Merge branch 'bmk/inets/httpd/xss_with_bad_header_date/r14/OTP-9674' into bmk/inets/inets572_integration
Conflicts:
lib/inets/doc/src/notes.xml
lib/inets/src/inets_app/inets.appup.src
|
|
Merge branch 'bmk/inets/httpd/xss_with_bad_header_date/r13/OTP-9674' into bmk/inets/httpd/xss_with_bad_header_date/r14/OTP-9674
Conflicts:
lib/inets/doc/src/notes.xml
lib/inets/src/http_server/mod_responsecontrol.erl
lib/inets/src/inets_app/inets.appup.src
lib/inets/test/httpd_1_1.erl
lib/inets/test/httpd_SUITE.erl
lib/inets/test/httpd_mod.erl
lib/inets/test/httpd_test_lib.erl
lib/inets/vsn.mk
|
|
Merge branch 'bmk/inets/httpd/xss_when_erl_encoded/r13/OTP-9655' into bmk/inets/httpd/xss_when_erl_encoded/r14/OTP-9655
Conflicts:
lib/inets/doc/src/notes.xml
lib/inets/src/http_lib/http_uri.erl
lib/inets/src/http_lib/http_util.erl
lib/inets/src/http_server/httpd_file.erl
lib/inets/src/http_server/httpd_request.erl
lib/inets/src/http_server/httpd_request_handler.erl
lib/inets/src/http_server/httpd_util.erl
lib/inets/src/inets_app/inets.appup.src
lib/inets/test/httpc_SUITE.erl
lib/inets/test/httpd_SUITE.erl
lib/inets/test/httpd_basic_SUITE.erl
lib/inets/test/httpd_test_lib.erl
lib/inets/vsn.mk
|
|
server crash (non-fatal) with no reply to client. Will
now result in a reply with status code 400.
OTP-9674
|
|
OTP-9655
|
|
OTP-9655
|
|
OTP-9655
|
|
URL was encoded (hex-encoded).
OTP-9655
|
|
|
|
as suggested in branch at/error_logger_calls.
|
|
are URL-encoded. Added support in http-client to use
URL-encoding. Also added the missing include directory
for the inets application.
OTP-8940
[httpd] Prevent XSS in error pages.
Prevent user controlled input from being interpreted
as HTML in error pages by encoding the reserved HTML
characters.
Michael Santos
OTP-9124
|
|
cookie processing from www.expedia.com.
OTP-9434
|
|
That is, if the parsing fails, the date should be ignored.
Also added support for (yet another) date format: "Tue Jan 01 08:00:01 2036 GMT"
OTP-9433
|
|
[ftp] FTP client doesn't work with IPv6 host.
Attila Rajmund Nohl
OTP-9342
Merge branch 'bmk/inets/ftp/does_not_handle_ipv6/OTP-9342' into bmk/inets/inets57_integration2
|
|
|
|
|
|
|
|
OTP-5566
Merge branch 'bmk/inets/handle_ipv6_with_ssl2/OTP-5566' into bmk/inets/inets57_integration2
Conflicts:
lib/inets/doc/src/notes.xml
lib/inets/src/inets_app/inets.appup.src
lib/inets/test/inets_test_lib.erl
|
|
be run or not.
|
|
|
|
|
|
OTP-9365
|
|
|
|
OTP-9342: IpFamily config option was not handled
OTP-9342: Release notes remain...
OTP-9342: <credit>attila rajmund nohl</credit>
|
|
|
|
For this case to work, we need crypto!
|
|
httpc manager crashes.When a request results in a retry, the request
id will be "reused" in the previous implementation a race condition
could occur causing the manager to crash. This is now avoided by using
proc_lib:init_ack and gen_server:enter_loop to allow more advanced
initialization of httpc_handlers without blocking the httpc_manger
and eliminating extra processes that can cause race conditions.
|
|
|
|
|
|
|
|
* hw/call-chmod-without-f:
Call chmod without the "-f" flag
Conflicts:
erts/emulator/test/Makefile
lib/asn1/test/Makefile
lib/crypto/test/Makefile
lib/debugger/test/Makefile
lib/docbuilder/test/Makefile
lib/edoc/test/Makefile
lib/erl_interface/test/Makefile
lib/inviso/test/Makefile
lib/parsetools/test/Makefile
lib/percept/test/Makefile
lib/ssl/test/Makefile
lib/syntax_tools/test/Makefile
lib/test_server/test/Makefile
lib/tools/test/Makefile
OTP-9170
|
|
test cases.
|
|
bmk/inets/inet56_integration
Conflicts:
lib/inets/doc/src/notes.xml
lib/inets/src/inets_app/inets.appup.src
|
|
'bmk/inets/httpd/make_mod_esi_deliver_accept_binary_data/OTP-9123' into bmk/inets/inet56_integration
Conflicts:
lib/inets/doc/src/notes.xml
lib/inets/src/inets_app/inets.appup.src
|
|
into bmk/inets/inet56_integration
Conflicts:
lib/inets/doc/src/notes.xml
lib/inets/src/inets_app/inets.appup.src
|
|
Conflicts:
lib/inets/doc/src/notes.xml
Fixed release notes after merge.
|
|
bmk/inets/httpd/make_mod_esi_deliver_accept_binary_data/OTP-9123
|
|
|
|
bmk/inets/ftp/missing_spec_causes_dialyxer_problems/OTP-9114
Also fixed a bunch of "end-years" (was 2010 but should have been 2011,
which the commit hook not happy with).
|
|
|
|
Prevent user controlled input from being interpreted
as HTML in error pages by encoding the reserved HTML
characters.
|
|
|
|
|
|
Also fixed some of the documentation (types).
|
|
bmk/inets/httpc/support_upload_body_streaming/OTP-OTP-9094
Conflicts:
lib/inets/src/http_client/httpc.erl
lib/inets/test/httpc_SUITE.erl
|
|
Prevent user controlled input from being interpreted as HTML in error
pages by encoding the reserved HTML characters. The reserved character
set should be safe for displaying data within the body of HTML pages
as outlined here:
http://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet
Previously, weird URLs were URI encoded in the error page. This worked
quite well but the URL would be displayed in the HTML in percent encoded
format. There was also a check for URIs that were already escaped (by
the browser) that would fail if the browser sent an URI containing a
"%", e.g.:
w3m "http://localhost:8080/<b>foo</b>?%"
Also encode the HTTP method and version, since it's possible they may be
manipulated:
<b>FOO</b> /index.html HTTP/1.0
GET /index.html <b>foo</b>/1.0
Encode the static messages to prevent characters from being interpreted
as HTML such as "heavy load (>~w processes)".
|
|
|
|
|
|
|