Submitted by: jfclere
Backports: r1166551, r1166657
Reviewed by: wrowe, jorton
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.2.x@
1167158 13f79535-47bb-0310-9956-
ffa450edef68
-*- coding: utf-8 -*-
Changes with Apache 2.2.21
+ *) SECURITY: CVE-2011-3348 (cve.mitre.org)
+ mod_proxy_ajp: Respond with HTTP_NOT_IMPLEMENTED when the method is not
+ recognized. [Jean-Frederic Clere]
+
*) Fix a regression introduced by the CVE-2011-3192 byterange fix in 2.2.20.
PR 51748. [<lowprio20 gmail.com>]
PATCHES ACCEPTED TO BACKPORT FROM TRUNK:
[ start all new proposals below, under PATCHES PROPOSED. ]
- * mod_proxy_ajp: return HTTP_NOT_IMPLEMENTED when AJP_EBAD_METHOD
- Trunk patch: http://svn.apache.org/viewvc?view=revision&revision=1166551 &
- http://svn.apache.org/viewvc?view=revision&revision=1166657
- +1: jfclere, jorton, wrowe
PATCHES PROPOSED TO BACKPORT FROM TRUNK:
[ New proposals should be added at the end of the list ]
conn->worker->hostname);
if (status == AJP_EOVERFLOW)
return HTTP_BAD_REQUEST;
- else {
+ else if (status == AJP_EBAD_METHOD) {
+ return HTTP_NOT_IMPLEMENTED;
+ } else {
/*
* This is only non fatal when the method is idempotent. In this
* case we can dare to retry it with a different worker if we are
projects / thirdparty / apache / httpd.git / commitdiff
