cvs commit: apache-1.3 Announcement
jim 00/02/02 14:41:00 Modified:.Announcement Log: And this will be the Announcement... Revision ChangesPath 1.49 +14 -41apache-1.3/Announcement Index: Announcement === RCS file: /export/home/cvs/apache-1.3/Announcement,v retrieving revision 1.48 retrieving revision 1.49 diff -u -r1.48 -r1.49 --- Announcement 2000/01/19 22:43:01 1.48 +++ Announcement 2000/02/02 22:40:58 1.49 @@ -1,57 +1,30 @@ -Apache 1.3.11 Released +Apache 1.3.12 Released == The Apache Software Foundation and The Apache Server Project are -pleased to announce the release of version 1.3.11 of the Apache HTTP server. -Apache 1.3.10 was not released due to a last-minute bug found and -fixed after the source was tagged and tested. +pleased to announce the release of version 1.3.12 of the Apache HTTP server. -This new Apache version incorporates numerous significant improvements -to the server. Apart from portability and security fixes, documentation -enhancements, performance improvements, and assorted other minor -features or fixes notable changes are: +The primary changes in this version of Apache are those related to +the ``cross site scripting'' security alerts described at - - Binary and shared builds on several platforms have been - improved. + http://www.cert.org/advisories/CA-2000-02.html + - and - + http://www.apache.org/info/css-security/index.html + +Specifically, charset handling has been improved and reinforced +(including 2 new directives: AddDefaultCharset and AddDefaultCharsetName) +and server generated pages properly escape ``userland'' input. - - The time that a parent waits for its children to die - after SIGKILL has been sent has been reduced. - - - Various suexec improvements. - - - More rigorous checking of Host: headers to fix security problems - with mass name-based virtual hosting. - - - Addition of the %q logging format directive (logs "?" and the query - string part of a query, or the empty string if no query). - - - Improvement of the OS390 port. - - - Several EBCDIC fixes. - - - Better error reporting during the "compiler sanity" check. - - - Fixed the `quad integer' (aka `long long') handling in ap_snprintf.c - - - mod_rewrite's general substitution function was overhauled. - - - Several WIN32 bugs have been fixed, including: - - CGIs broken if script calls other programs which deliver on stdout - (Search this file for "DETACHED") - - 16 bit CGIs should work now - - Server will not start if passed the -d option with spaces in the - argument. - A complete listing with detailed descriptions is provided in the src/CHANGES file. -We consider Apache 1.3.11 to be the best version of Apache available and +We consider Apache 1.3.12 to be the best version of Apache available and we strongly recommend that users of older versions, especially of the 1.1.x and 1.2.x family, upgrade as soon as possible. No further releases will be made in the 1.2.x family. -Apache 1.3.11 is available for download from +Apache 1.3.12 is available for download from http://www.apache.org/dist/ @@ -62,7 +35,7 @@ http://www.apache.org/dist/binaries/ -As of Apache 1.3.11 binary distributions contain all standard Apache +As of Apache 1.3.12 binary distributions contain all standard Apache modules as shared objects (if supported by the platform) and include full source code. Installation is easily done by executing the included install script. See the README.bindist and INSTALL.bindist
cvs commit: apache-1.3/src/modules/standard mod_actions.c mod_autoindex.c mod_expires.c mod_include.c mod_log_config.c mod_status.c
jim 00/02/02 12:44:16 Modified:htdocs/manual/mod core.html mod_include.html src CHANGES src/include http_core.h httpd.h src/main http_core.c http_log.c http_protocol.c util.c src/modules/proxy proxy_util.c src/modules/standard mod_actions.c mod_autoindex.c mod_expires.c mod_include.c mod_log_config.c mod_status.c Log: Marc's CSS patch! Revision ChangesPath 1.163 +38 -0 apache-1.3/htdocs/manual/mod/core.html Index: core.html === RCS file: /export/home/cvs/apache-1.3/htdocs/manual/mod/core.html,v retrieving revision 1.162 retrieving revision 1.163 diff -u -r1.162 -r1.163 --- core.html 2000/01/18 19:32:49 1.162 +++ core.html 2000/02/02 20:43:11 1.163 @@ -23,6 +23,8 @@ AccessConfig AccessFileName +AddDefaultCharset +AddDefaultCharsetName AddModule AllowOverride AuthName @@ -162,6 +164,42 @@AllowOverride None + +AddDefaultCharset directive +Syntax: +AddDefaultCharset on / off +Context: +all +Status: +core +Default: +AddDefaultCharset off +Compatibility: + AddDefaultCharset is only available in Apache 1.3.12 and later +If enabled, any response that does not have any parameter on the content +type in the HTTP headers will have a charset parameter added specifying +the character set the client should use for the document. This will +override any character set specified in the body of the document via a +META tag. The character set added is specified by the +AddDefaultCharsetName directive. + + +AddDefaultCharsetName directive +Syntax: +AddDefaultCharsetName charset +Context: +all +Status: +core +Default: +AddDefaultCharsetName iso-8859-1 +Compatibility: + AddDefaultCharsetName is only available in Apache 1.3.12 and +later +This directive specifies the name of the character set that will be added +if the AddDefaultCharset directive is +enabled. + AddModule directive 1.24 +22 -1 apache-1.3/htdocs/manual/mod/mod_include.html Index: mod_include.html === RCS file: /export/home/cvs/apache-1.3/htdocs/manual/mod/mod_include.html,v retrieving revision 1.23 retrieving revision 1.24 diff -u -r1.23 -r1.24 --- mod_include.html 1998/09/17 12:06:40 1.23 +++ mod_include.html 2000/02/02 20:43:16 1.24 @@ -89,15 +89,34 @@ routine when printing dates. + echo This command prints one of the include variables, defined below. If the variable is unset, it is printed as (none). Any dates printed are subject to the currently configured timefmt. + Attributes: var The value is the name of the variable to print. +encoding +Specifies how Apache should encode special characters contained +in the variable before outputting them. If set to "none", no encoding +will be done. If set to "url", then URL encoding (also known as +%-encoding; this is appropriate for use within URLs in links, etc.) +will be performed. At the start of an echo element, +the default is set to "entity", resulting in entity encoding (which +is appropriate in the context of a block-level HTML element, eg. +a paragraph of text). This can be changed by adding an +encoding attribute, which will remain in effect until +the next encoding attribute is encountered or the +element ends, whichever comes first. Note that only special +characters as defined in the ISO-8859-1 character encoding will be +encoded. This encoding process may not have the desired result if +a different character encoding is in use. Apache 1.3.12 and above; previous +versions do no encoding. + exec @@ -181,7 +200,9 @@ printenv This prints out a listing of all existing variables and their values. -No attributes. + Starting with Apache 1.3.12, special characters are entity encoded (see the + echo element for details) before being + output. No attributes. For example: Apache 1.2 and above. 1.1504+25 -0 apache-1.3/src/CHANGES Index: CHANGES === RCS file: /export/home/cvs/apache-1.3/src/CHANGES,v retrieving revision 1.1503 retrieving revision 1.1504 diff -u -r1.1503 -r1.1504 --- CHANGES 2000/01/20 02:54:52 1.1503 +++ CHANGES 2000/02/02 20:43:28 1.1504 @@ -1,6 +1,31 @@ Changes with Apache 1.3.12 + *) Add an explicit charset=iso-8859-1 to pages generated by + ap_send_error_response(), such as the default 404 page. + [Marc Slemko] + *) Add the AddDefaultCharset and AddDefaultCharsetName directive
cvs commit: apache-site/info/css-security encoding_examples.html
marc00/02/02 11:26:04 Modified:info/css-security encoding_examples.html Log: Sigh. The Java code is GPLed, so I am removing it. Revision ChangesPath 1.4 +0 -44 apache-site/info/css-security/encoding_examples.html Index: encoding_examples.html === RCS file: /export/home/cvs/apache-site/info/css-security/encoding_examples.html,v retrieving revision 1.3 retrieving revision 1.4 diff -u -r1.3 -r1.4 --- encoding_examples.html2000/02/02 19:17:41 1.3 +++ encoding_examples.html2000/02/02 19:26:03 1.4 @@ -163,49 +163,5 @@ http://stein.cshl.org/WWW/software/CGI/ for more details on what this module can do. -Java Example: - -Unfortunately, Java does not include a standard method for entity -encoding data. One possible method, taken from the http://www.bitmechanic.com/projects/gsp/";>GSP code, is: - - - -public static String escapeValue(String str) { -str = replace(str, '&', "&"); -str = replace(str, '"', """); -str = replace(str, '<', "<"); -str = replace(str, '>', ">"); -return str; -} - -public static String replace(String str, char ch, String replace) { -int pos = str.indexOf(ch); -if(pos == -1) return str; -StringBuffer buff = new StringBuffer(str.length() + 32); -int start = 0; -while(pos != -1 && start < str.length()) { -buff.append(str.substring(start, pos)); -buff.append(replace); - -start = pos + 1; -if(start < str.length()) pos = str.indexOf(ch, start); -} -if(start < str.length()) buff.append(str.substring(start)); -return buff.toString(); -} - - - -You would use this in a manner such as: - - -String Text = "foobar"; -String URL = "foobar.html"; - -System.out.println(escapeValue(Text)); -System.out.println(java.net.URLEncoder.encode(URL)); - -
cvs commit: apache-site/info/css-security encoding_examples.html
marc00/02/02 11:17:43 Modified:info/css-security encoding_examples.html Log: Minor HTML fix. Revision ChangesPath 1.3 +2 -2 apache-site/info/css-security/encoding_examples.html Index: encoding_examples.html === RCS file: /export/home/cvs/apache-site/info/css-security/encoding_examples.html,v retrieving revision 1.2 retrieving revision 1.3 diff -u -r1.2 -r1.3 --- encoding_examples.html2000/02/02 19:16:54 1.2 +++ encoding_examples.html2000/02/02 19:17:41 1.3 @@ -129,8 +129,8 @@ char *Text = "foobar"; char *URL = "foobar.html"; -ap_rvputs(r, ap_escape_html(r->pool, Text), "
", NULL); -ap_rvputs(r, "pool, URL), "\">link", NULL); +ap_rvputs(r, ap_escape_html(r->pool, Text), "
", NULL); +ap_rvputs(r, "pool, URL), "\">link", NULL); mod_perl Example:
cvs commit: apache-site/info/css-security encoding_examples.html
marc00/02/02 11:16:55 Modified:info/css-security encoding_examples.html Log: Add info on Java methods, even though it isn't specifically Apache related. Revision ChangesPath 1.2 +45 -1 apache-site/info/css-security/encoding_examples.html Index: encoding_examples.html === RCS file: /export/home/cvs/apache-site/info/css-security/encoding_examples.html,v retrieving revision 1.1 retrieving revision 1.2 diff -u -r1.1 -r1.2 --- encoding_examples.html2000/02/02 18:02:48 1.1 +++ encoding_examples.html2000/02/02 19:16:54 1.2 @@ -163,5 +163,49 @@ http://stein.cshl.org/WWW/software/CGI/ for more details on what this module can do. - +Java Example: + +Unfortunately, Java does not include a standard method for entity +encoding data. One possible method, taken from the http://www.bitmechanic.com/projects/gsp/";>GSP code, is: + + + +public static String escapeValue(String str) { +str = replace(str, '&', "&"); +str = replace(str, '"', """); +str = replace(str, '<', "<"); +str = replace(str, '>', ">"); +return str; +} + +public static String replace(String str, char ch, String replace) { +int pos = str.indexOf(ch); +if(pos == -1) return str; +StringBuffer buff = new StringBuffer(str.length() + 32); +int start = 0; +while(pos != -1 && start < str.length()) { +buff.append(str.substring(start, pos)); +buff.append(replace); + +start = pos + 1; +if(start < str.length()) pos = str.indexOf(ch, start); +} +if(start < str.length()) buff.append(str.substring(start)); +return buff.toString(); +} + + + +You would use this in a manner such as: + + +String Text = "foobar"; +String URL = "foobar.html"; + +System.out.println(escapeValue(Text)); +System.out.println(java.net.URLEncoder.encode(URL)); + + +
cvs commit: apache-site httpd.html
marc00/02/02 10:04:23 Modified:.httpd.html Log: Add link to info about security issue. Revision ChangesPath 1.85 +9 -0 apache-site/httpd.html Index: httpd.html === RCS file: /home/cvs/apache-site/httpd.html,v retrieving revision 1.84 retrieving revision 1.85 diff -u -r1.84 -r1.85 --- httpd.html2000/01/22 21:11:23 1.84 +++ httpd.html2000/02/02 18:04:11 1.85 @@ -61,6 +61,15 @@ +Cross Site Scripting Security Problem + +We have added information about the recently discovered +Cross Site Scripting security problem +that was announced in a recent +http://www.cert.org/advisories/CA-2000-02.html";>CERT Advisory. + + + Apache 1.3.11 Now Available
cvs commit: apache-site/info/css-security apache_1.3.11_css_patch.txt apache_specific.html encoding_examples.html index.html
marc00/02/02 10:02:51 Added: info/css-security apache_1.3.11_css_patch.txt apache_specific.html encoding_examples.html index.html Log: Added information about recently discovered cross site scripting security problem. Revision ChangesPath 1.1 apache-site/info/css-security/apache_1.3.11_css_patch.txt Index: apache_1.3.11_css_patch.txt === This patch is against Apache 1.3.11. It may be updated as the situation warrants. Last updated: Wed Feb 2 01:09:23 MST 2000 Index: htdocs/manual/mod/core.html === RCS file: /export/home/cvs/apache-1.3/htdocs/manual/mod/core.html,v retrieving revision 1.162 diff -u -r1.162 core.html --- core.html 2000/01/18 19:32:49 1.162 +++ core.html 2000/02/02 07:59:17 @@ -23,6 +23,8 @@ AccessConfig AccessFileName +AddDefaultCharset +AddDefaultCharsetName AddModule AllowOverride AuthName @@ -162,6 +164,42 @@AllowOverride None + +AddDefaultCharset directive +Syntax: +AddDefaultCharset on / off +Context: +all +Status: +core +Default: +AddDefaultCharset off +Compatibility: + AddDefaultCharset is only available in Apache 1.3.12 and later +If enabled, any response that does not have any parameter on the content +type in the HTTP headers will have a charset parameter added specifying +the character set the client should use for the document. This will +override any character set specified in the body of the document via a +META tag. The character set added is specified by the +AddDefaultCharsetName directive. + + +AddDefaultCharsetName directive +Syntax: +AddDefaultCharsetName charset +Context: +all +Status: +core +Default: +AddDefaultCharsetName iso-8859-1 +Compatibility: + AddDefaultCharsetName is only available in Apache 1.3.12 and +later +This directive specifies the name of the character set that will be added +if the AddDefaultCharset directive is +enabled. + AddModule directive Index: htdocs/manual/mod/directives.html === RCS file: /export/home/cvs/apache-1.3/htdocs/manual/mod/directives.html,v retrieving revision 1.60 diff -u -r1.60 directives.html --- directives.html 1999/12/19 16:34:32 1.60 +++ directives.html 2000/02/02 08:09:07 @@ -30,6 +30,9 @@ AddAlt AddAltByEncoding AddAltByType +AddCharset +AddDefaultCharset +AddDefaultCharsetName AddDescription AddEncoding AddHandler Index: htdocs/manual/mod/mod_include.html === RCS file: /export/home/cvs/apache-1.3/htdocs/manual/mod/mod_include.html,v retrieving revision 1.23 diff -u -r1.23 mod_include.html --- mod_include.html 1998/09/17 12:06:40 1.23 +++ mod_include.html 2000/02/02 07:59:18 @@ -89,15 +89,34 @@ routine when printing dates. + echo This command prints one of the include variables, defined below. If the variable is unset, it is printed as (none). Any dates printed are subject to the currently configured timefmt. + Attributes: var The value is the name of the variable to print. +encoding +Specifies how Apache should encode special characters contained +in the variable before outputting them. If set to "none", no encoding +will be done. If set to "url", then URL encoding (also known as +%-encoding; this is appropriate for use within URLs in links, etc.) +will be performed. At the start of an echo element, +the default is set to "entity", resulting in entity encoding (which +is appropriate in the context of a block-level HTML element, eg. +a paragraph of text). This can be changed by adding an +encoding attribute, which will remain in effect until +the next encoding attribute is encountered or the +element ends, whichever comes first. Note that only special +characters as defined in the ISO-8859-1 character encoding will be +encoded. This encoding process may not have the desired result if +a different character encoding is in use. Apache 1.3.12 and above; previous +versions do no encoding. + exec @@ -181,7 +200,9 @@ printenv This prints out a listing of all existing variables and their values. -No attributes. + Starting with Apache 1.3.12, special characters are entity encoded (see the + echo element for details) before being + output. No attributes. For example: Apache 1.2 and above. Index: src/CHANGES === RCS file: /export/home/cvs/apache-1.3/src/CHANGES,v retrieving revision 1.150
cvs commit: apache-site/info/css-security - New directory
marc00/02/02 09:56:16 apache-site/info/css-security - New directory