cvs commit: apache-1.3 Announcement

[jim]

jim 00/02/02 14:41:00

  Modified:.Announcement
  Log:
  And this will be the Announcement...
  
  Revision  ChangesPath
  1.49  +14 -41apache-1.3/Announcement
  
  Index: Announcement
  ===
  RCS file: /export/home/cvs/apache-1.3/Announcement,v
  retrieving revision 1.48
  retrieving revision 1.49
  diff -u -r1.48 -r1.49
  --- Announcement  2000/01/19 22:43:01 1.48
  +++ Announcement  2000/02/02 22:40:58 1.49
  @@ -1,57 +1,30 @@
  -Apache 1.3.11 Released
  +Apache 1.3.12 Released
   ==
   
   The Apache Software Foundation and The Apache Server Project are
  -pleased to announce the release of version 1.3.11 of the Apache HTTP server.
  -Apache 1.3.10 was not released due to a last-minute bug found and
  -fixed after the source was tagged and tested.
  +pleased to announce the release of version 1.3.12 of the Apache HTTP server.
   
  -This new Apache version incorporates numerous significant improvements
  -to the server.  Apart from portability and security fixes, documentation
  -enhancements, performance improvements, and assorted other minor
  -features or fixes notable changes are:
  +The primary changes in this version of Apache are those related to
  +the ``cross site scripting'' security alerts described at
   
  -   - Binary and shared builds on several platforms have been
  - improved.
  +   http://www.cert.org/advisories/CA-2000-02.html
  +  - and -
  +   http://www.apache.org/info/css-security/index.html
  +
  +Specifically, charset handling has been improved and reinforced
  +(including 2 new directives: AddDefaultCharset and AddDefaultCharsetName)
  +and server generated pages properly escape ``userland'' input.
   
  -   - The time that a parent waits for its children to die
  - after SIGKILL has been sent has been reduced.
  -
  -   - Various suexec improvements.
  -
  -   - More rigorous checking of Host: headers to fix security problems
  - with mass name-based virtual hosting.
  -
  -   - Addition of the  %q logging format directive (logs "?" and the query
  - string part of a query, or the empty string if no query).
  -
  -   - Improvement of the OS390 port.
  -
  -   - Several EBCDIC fixes.
  -
  -   - Better error reporting during the "compiler sanity" check.
  -
  -   - Fixed the `quad integer' (aka `long long') handling in ap_snprintf.c
  -
  -   - mod_rewrite's general substitution function was overhauled.
  -
  -   - Several WIN32 bugs have been fixed, including:
  - - CGIs broken if script calls other programs which deliver on stdout
  -   (Search this file for "DETACHED")
  - - 16 bit CGIs should work now
  - - Server will not start if passed the -d option with spaces in the
  -   argument.
  -
   A complete listing with detailed descriptions is provided in the
   src/CHANGES file.
   
  -We consider Apache 1.3.11 to be the best version of Apache available and
  +We consider Apache 1.3.12 to be the best version of Apache available and
   we strongly recommend that users of older versions, especially of the
   1.1.x and 1.2.x family, upgrade as soon as possible.  No further releases
   will be made in the 1.2.x family.
   
   
  -Apache 1.3.11 is available for download from
  +Apache 1.3.12 is available for download from
   
   http://www.apache.org/dist/
   
  @@ -62,7 +35,7 @@
   
  http://www.apache.org/dist/binaries/
   
  -As of Apache 1.3.11 binary distributions contain all standard Apache
  +As of Apache 1.3.12 binary distributions contain all standard Apache
   modules as shared objects (if supported by the platform) and include
   full source code.  Installation is easily done by executing the
   included install script.  See the README.bindist and INSTALL.bindist
  
  
  

cvs commit: apache-1.3/src/modules/standard mod_actions.c mod_autoindex.c mod_expires.c mod_include.c mod_log_config.c mod_status.c

[jim]

jim 00/02/02 12:44:16

  Modified:htdocs/manual/mod core.html mod_include.html
   src  CHANGES
   src/include http_core.h httpd.h
   src/main http_core.c http_log.c http_protocol.c util.c
   src/modules/proxy proxy_util.c
   src/modules/standard mod_actions.c mod_autoindex.c
mod_expires.c mod_include.c mod_log_config.c
mod_status.c
  Log:
  Marc's CSS patch!
  
  Revision  ChangesPath
  1.163 +38 -0 apache-1.3/htdocs/manual/mod/core.html
  
  Index: core.html
  ===
  RCS file: /export/home/cvs/apache-1.3/htdocs/manual/mod/core.html,v
  retrieving revision 1.162
  retrieving revision 1.163
  diff -u -r1.162 -r1.163
  --- core.html 2000/01/18 19:32:49 1.162
  +++ core.html 2000/02/02 20:43:11 1.163
  @@ -23,6 +23,8 @@
   
   AccessConfig
   AccessFileName
  +AddDefaultCharset
  +AddDefaultCharsetName
   AddModule
   AllowOverride
   AuthName
  @@ -162,6 +164,42 @@
   
   AllowOverride None
   
  +
  +AddDefaultCharset directive
  +Syntax: 
  +AddDefaultCharset on / off
  +Context: 
  +all
  +Status: 
  +core
  +Default:
  +AddDefaultCharset off
  +Compatibility:
  + AddDefaultCharset is only available in Apache 1.3.12 and 
later
  +If enabled, any response that does not have any parameter on the content 
  +type in the HTTP headers will have a charset parameter added specifying 
  +the character set the client should use for the document.  This will 
  +override any character set specified in the body of the document via a 
  +META tag.  The character set added is specified by the 
  +AddDefaultCharsetName directive.
  +
  +
  +AddDefaultCharsetName directive
  +Syntax: 
  +AddDefaultCharsetName charset
  +Context: 
  +all
  +Status: 
  +core
  +Default:
  +AddDefaultCharsetName iso-8859-1
  +Compatibility:
  + AddDefaultCharsetName is only available in Apache 1.3.12 and 
  +later
  +This directive specifies the name of the character set that will be added
  +if the AddDefaultCharset directive is 
  +enabled.
  +
   
   AddModule directive
   
  
  
  
  1.24  +22 -1 apache-1.3/htdocs/manual/mod/mod_include.html
  
  Index: mod_include.html
  ===
  RCS file: /export/home/cvs/apache-1.3/htdocs/manual/mod/mod_include.html,v
  retrieving revision 1.23
  retrieving revision 1.24
  diff -u -r1.23 -r1.24
  --- mod_include.html  1998/09/17 12:06:40 1.23
  +++ mod_include.html  2000/02/02 20:43:16 1.24
  @@ -89,15 +89,34 @@
   routine when printing dates.
   
   
  +
   echo
   
   This command prints one of the include variables, defined below.
   If the variable is unset, it is printed as (none).
   Any dates printed are subject to the currently configured 
timefmt.
  +
   Attributes:
   
   var
   The value is the name of the variable to print.
  +encoding 
  +Specifies how Apache should encode special characters contained
  +in the variable before outputting them.  If set to "none", no encoding
  +will be done.  If set to "url", then URL encoding (also known as
  +%-encoding; this is appropriate for use within URLs in links, etc.)
  +will be performed.  At the start of an echo element,
  +the default is set to "entity", resulting in entity encoding (which
  +is appropriate in the context of a block-level HTML element, eg.
  +a paragraph of text).  This can be changed by adding an
  +encoding attribute, which will remain in effect until
  +the next encoding attribute is encountered or the
  +element ends, whichever comes first.  Note that only special
  +characters as defined in the ISO-8859-1 character encoding will be
  +encoded.  This encoding process may not have the desired result if
  +a different character encoding is in use.  Apache 1.3.12 and above; previous
  +versions do no encoding.
  +
   
   
   exec
  @@ -181,7 +200,9 @@
   
   printenv
   This prints out a listing of all existing variables and their values.
  -No attributes.
  +   Starting with Apache 1.3.12, special characters are entity encoded (see 
the 
  +   echo element for details) before being
  +   output.  No attributes.
   For example: 
   Apache 1.2 and above.
   
  
  
  
  1.1504+25 -0 apache-1.3/src/CHANGES
  
  Index: CHANGES
  ===
  RCS file: /export/home/cvs/apache-1.3/src/CHANGES,v
  retrieving revision 1.1503
  retrieving revision 1.1504
  diff -u -r1.1503 -r1.1504
  --- CHANGES   2000/01/20 02:54:52 1.1503
  +++ CHANGES   2000/02/02 20:43:28 1.1504
  @@ -1,6 +1,31 @@
   Changes with Apache 1.3.12
   
  +  *) Add an explicit charset=iso-8859-1 to pages generated by
  + ap_send_error_response(), such as the default 404 page.
  + [Marc Slemko]
   
  +  *) Add the AddDefaultCharset and AddDefaultCharsetName directive

cvs commit: apache-site/info/css-security encoding_examples.html

[marc]

marc00/02/02 11:26:04

  Modified:info/css-security encoding_examples.html
  Log:
  Sigh.  The Java code is GPLed, so I am removing it.
  
  Revision  ChangesPath
  1.4   +0 -44 apache-site/info/css-security/encoding_examples.html
  
  Index: encoding_examples.html
  ===
  RCS file: 
/export/home/cvs/apache-site/info/css-security/encoding_examples.html,v
  retrieving revision 1.3
  retrieving revision 1.4
  diff -u -r1.3 -r1.4
  --- encoding_examples.html2000/02/02 19:17:41 1.3
  +++ encoding_examples.html2000/02/02 19:26:03 1.4
  @@ -163,49 +163,5 @@
   http://stein.cshl.org/WWW/software/CGI/ for more details on what
   this module can do.
   
  -Java Example:
  -
  -Unfortunately, Java does not include a standard method for entity
  -encoding data.  One possible method, taken from the http://www.bitmechanic.com/projects/gsp/";>GSP code, is:
  -
  -
  -
  -public static String escapeValue(String str) {  
  -str = replace(str, '&', "&");
  -str = replace(str, '"', """);
  -str = replace(str, '<', "<");
  -str = replace(str, '>', ">");
  -return str;
  -}   
  -
  -public static String replace(String str, char ch, String replace) {  
  -int pos = str.indexOf(ch);
  -if(pos == -1) return str;
  -StringBuffer buff = new StringBuffer(str.length() + 32);
  -int start = 0;
  -while(pos != -1 && start < str.length()) {
  -buff.append(str.substring(start, pos));
  -buff.append(replace);
  -
  -start = pos + 1;
  -if(start < str.length()) pos = str.indexOf(ch, start);
  -}   
  -if(start < str.length()) buff.append(str.substring(start));
  -return buff.toString();
  -}   
  -
  -
  -
  -You would use this in a manner such as:
  - 
  -
  -String Text = "foobar";  
  -String URL = "foobar.html";  
  -
  -System.out.println(escapeValue(Text));
  -System.out.println(java.net.URLEncoder.encode(URL));
  -
  -