merge r603346 from trunk:

http_protocol: Escape request method in 405 error reporting. This has no security impact since the browser cannot be tricked into sending arbitrary method strings. Reviewed by: wrowe, rpluem git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.0.x@604426 13f79535-47bb-0310-9956-ffa450edef68
author: Jeff Trawick <trawick@apache.org> 2007-12-15 13:32:51 +0000
committer: Jeff Trawick <trawick@apache.org> 2007-12-15 13:32:51 +0000
commit: dc414718acd0f5b7d50b44c67038651cae5d7754 (patch)
tree: 5d55e963ae0cea584722bec6ca68233ba652fa75 /modules
parent: da9bb4ee99c9760ba8d696ff3e789d46a24d4aab (diff)
download: httpd-dc414718acd0f5b7d50b44c67038651cae5d7754.tar.gz
1 files changed, 2 insertions, 1 deletions
diff --git a/modules/http/http_protocol.c b/modules/http/http_protocol.c
index d521842b7b..deff80bc39 100644
--- a/modules/http/http_protocol.c
+++ b/modules/http/http_protocol.c
@@ -2182,7 +2182,8 @@ static const char *get_canned_error_string(int status,
                            NULL));
     case HTTP_METHOD_NOT_ALLOWED:
         return(apr_pstrcat(p,
-                           "<p>The requested method ", r->method,
+                           "<p>The requested method ",
+                           ap_escape_html(r->pool, r->method),
                            " is not allowed for the URL ",
                            ap_escape_html(r->pool, r->uri),
                            ".</p>\n",
author	Jeff Trawick <trawick@apache.org>	2007-12-15 13:32:51 +0000
committer	Jeff Trawick <trawick@apache.org>	2007-12-15 13:32:51 +0000
commit	dc414718acd0f5b7d50b44c67038651cae5d7754 (patch)
tree	5d55e963ae0cea584722bec6ca68233ba652fa75 /modules
parent	da9bb4ee99c9760ba8d696ff3e789d46a24d4aab (diff)
download	httpd-dc414718acd0f5b7d50b44c67038651cae5d7754.tar.gz