On 2 Oct 2002 [EMAIL PROTECTED] wrote: > Index: util_script.c > =================================================================== > RCS file: /home/cvs/httpd-2.0/server/util_script.c,v > retrieving revision 1.79 > retrieving revision 1.80 > diff -u -r1.79 -r1.80 > --- util_script.c 23 Jun 2002 06:15:03 -0000 1.79 > +++ util_script.c 2 Oct 2002 21:35:57 -0000 1.80 > @@ -266,7 +266,8 @@ > > apr_table_addn(e, "SERVER_SIGNATURE", ap_psignature("", r)); > apr_table_addn(e, "SERVER_SOFTWARE", ap_get_server_version()); > - apr_table_addn(e, "SERVER_NAME", ap_get_server_name(r)); > + apr_table_addn(e, "SERVER_NAME", > + ap_escape_html(r->pool, ap_get_server_name(r))); > apr_table_addn(e, "SERVER_ADDR", r->connection->local_ip); /* Apache */ > apr_table_addn(e, "SERVER_PORT", > apr_psprintf(r->pool, "%u", ap_get_server_port(r))); >
Lets not encode env variables, as we discussed earlier. Escaping them is bogus and doesn't solve anything since there are all sorts of variables that aren't and shouldn't be encoded.