On 2 Oct 2002 [EMAIL PROTECTED] wrote:
> Index: util_script.c
> ===================================================================
> RCS file: /home/cvs/httpd-2.0/server/util_script.c,v
> retrieving revision 1.79
> retrieving revision 1.80
> diff -u -r1.79 -r1.80
> --- util_script.c 23 Jun 2002 06:15:03 -0000 1.79
> +++ util_script.c 2 Oct 2002 21:35:57 -0000 1.80
> @@ -266,7 +266,8 @@
>
> apr_table_addn(e, "SERVER_SIGNATURE", ap_psignature("", r));
> apr_table_addn(e, "SERVER_SOFTWARE", ap_get_server_version());
> - apr_table_addn(e, "SERVER_NAME", ap_get_server_name(r));
> + apr_table_addn(e, "SERVER_NAME",
> + ap_escape_html(r->pool, ap_get_server_name(r)));
> apr_table_addn(e, "SERVER_ADDR", r->connection->local_ip); /* Apache */
> apr_table_addn(e, "SERVER_PORT",
> apr_psprintf(r->pool, "%u", ap_get_server_port(r)));
>
Lets not encode env variables, as we discussed earlier.
Escaping them is bogus and doesn't solve anything since there are all
sorts of variables that aren't and shouldn't be encoded.
