diff options
Diffstat (limited to 'docs/manual/env.html.en')
-rw-r--r-- | docs/manual/env.html.en | 22 |
1 files changed, 20 insertions, 2 deletions
diff --git a/docs/manual/env.html.en b/docs/manual/env.html.en index f4e32d36..69455c0b 100644 --- a/docs/manual/env.html.en +++ b/docs/manual/env.html.en @@ -115,6 +115,11 @@ not be a number. Characters which do not match this restriction will be replaced by an underscore when passed to CGI scripts and SSI pages.</li> + + <li>The <code class="directive"><a href="./mod/mod_env.html#setenv">SetEnv</a></code> directive runs + late during request processing meaning that directives such as + <code class="directive"><a href="./mod/mod_setenvif.html#setenvif">SetEnvIf</a></code> and <code class="directive"><a href="./mod/mod_rewrite.html#rewritecond">RewriteCond</a></code> will not see the + variables set with it.</li> </ul> </div><div class="top"><a href="#page-header"><img alt="top" src="./images/up.gif" /></a></div> @@ -324,6 +329,19 @@ set for the redirection text, and these broken browsers will then correctly use that of the destination page.</p> + <div class="warning"> + <h3>Security note</h3> + + <p>Sending error pages without a specified character set may + allow a cross-site-scripting attack for existing browsers (MSIE) + which do not follow the HTTP/1.1 specification and attempt to + "guess" the character set from the content. Such browsers can + be easily fooled into using the UTF-7 character set, and UTF-7 + content from input data (such as the request-URI) will not be + escaped by the usual escaping mechanisms designed to prevent + cross-site-scripting attacks.</p> + </div> + <h3><a name="proxy" id="proxy">force-proxy-request-1.0, proxy-nokeepalive, proxy-sendchunked, proxy-sendcl</a></h3> @@ -390,7 +408,7 @@ CustomLog logs/access_log common env=!image-request</pre></div> in limited circumstances. We assume that all your images are in a directory called /web/images.</p> <div class="example"><pre> -SetEnvIf Referer "^http://www.example.com/" local_referal +SetEnvIf Referer "^http://www\.example\.com/" local_referal # Allow browsers that do not send Referer info SetEnvIf Referer "^$" local_referal <Directory /web/images> @@ -408,6 +426,6 @@ SetEnvIf Referer "^$" local_referal <a href="./ja/env.html" hreflang="ja" rel="alternate" title="Japanese"> ja </a> | <a href="./ko/env.html" hreflang="ko" rel="alternate" title="Korean"> ko </a></p> </div><div id="footer"> -<p class="apache">Copyright 2007 The Apache Software Foundation.<br />Licensed under the <a href="http://www.apache.org/licenses/LICENSE-2.0">Apache License, Version 2.0</a>.</p> +<p class="apache">Copyright 2008 The Apache Software Foundation.<br />Licensed under the <a href="http://www.apache.org/licenses/LICENSE-2.0">Apache License, Version 2.0</a>.</p> <p class="menu"><a href="./mod/">Modules</a> | <a href="./mod/directives.html">Directives</a> | <a href="./faq/">FAQ</a> | <a href="./glossary.html">Glossary</a> | <a href="./sitemap.html">Sitemap</a></p></div> </body></html>
\ No newline at end of file |