diff options
author | Jeff Trawick <trawick@apache.org> | 2007-12-15 13:32:51 +0000 |
---|---|---|
committer | Jeff Trawick <trawick@apache.org> | 2007-12-15 13:32:51 +0000 |
commit | dc414718acd0f5b7d50b44c67038651cae5d7754 (patch) | |
tree | 5d55e963ae0cea584722bec6ca68233ba652fa75 /modules | |
parent | da9bb4ee99c9760ba8d696ff3e789d46a24d4aab (diff) | |
download | httpd-dc414718acd0f5b7d50b44c67038651cae5d7754.tar.gz |
merge r603346 from trunk:
http_protocol: Escape request method in 405 error reporting.
This has no security impact since the browser cannot be tricked
into sending arbitrary method strings.
Reviewed by: wrowe, rpluem
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.0.x@604426 13f79535-47bb-0310-9956-ffa450edef68
Diffstat (limited to 'modules')
-rw-r--r-- | modules/http/http_protocol.c | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/modules/http/http_protocol.c b/modules/http/http_protocol.c index d521842b7b..deff80bc39 100644 --- a/modules/http/http_protocol.c +++ b/modules/http/http_protocol.c @@ -2182,7 +2182,8 @@ static const char *get_canned_error_string(int status, NULL)); case HTTP_METHOD_NOT_ALLOWED: return(apr_pstrcat(p, - "<p>The requested method ", r->method, + "<p>The requested method ", + ap_escape_html(r->pool, r->method), " is not allowed for the URL ", ap_escape_html(r->pool, r->uri), ".</p>\n", |