Merge r757376 from trunk:

Prevent a case of SSI timefmt-smashing with filter chains including
multiple INCLUDES filters:

* modules/filters/mod_include.c (add_include_vars): Drop unused
  timefmt argument.
  (add_include_vars_lazy): Take timefmt argument.
  (get_include_var, handle_printenv): Pass time format from context.

PR: 39369

Submitted by: jorton
Reviewed by: rpluem, jim, wrowe

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.2.x@773352 13f79535-47bb-0310-9956-ffa450edef68

diff --git a/CHANGES b/CHANGES
index 4900abb56acdb12da045b45c39f257e42abf31bf..b2bbb37ea9c7192adb2c207012228710a82bf981 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -5,6 +5,9 @@ Changes with Apache 2.2.12
      mod_proxy_ajp: Avoid delivering content from a previous request which
      failed to send a request body. PR 46949 [Ruediger Pluem]
 
+  *) mod_include: Prevent a case of SSI timefmt-smashing with filter chains
+     including multiple INCLUDES filters. PR 39369 [Joe Orton]
+
   *) mod_rewrite: When evaluating a proxy rule in directory context, do
      escape the filename by default. PR 46428 [Joe Orton]
 

diff --git a/STATUS b/STATUS
index 372f09072bfb1f2734deeb0b7958c4b18f6f42a6..5a0a19afe5f7471a49c93c1b06276c17c0228f2b 100644 (file)
--- a/STATUS
+++ b/STATUS
@@ -87,14 +87,6 @@ RELEASE SHOWSTOPPERS:
 PATCHES ACCEPTED TO BACKPORT FROM TRUNK:
   [ start all new proposals below, under PATCHES PROPOSED. ]
 
- * mod_include: Prevent a case of SSI timefmt-smashing with filter chains
-   including multiple INCLUDES filters
-   Trunk version of patch:
-      http://svn.apache.org/viewvc?rev=757376&view=rev
-   Backport version for 2.2.x of patch:
-      Trunk version of patch works
-   +1: rpluem, jim, wrowe
-
  * mod_negotiation: Escape pathes of filenames in 406 responses to avoid
    HTML injections and HTTP response splitting
    Trunk version of patch:

diff --git a/modules/filters/mod_include.c b/modules/filters/mod_include.c
index acb3010472cea486a0b8edef610be3208403fee1..a174529e191d0a6c72ba5de4e2347f8d75d55b26 100644 (file)
--- a/modules/filters/mod_include.c
+++ b/modules/filters/mod_include.c
@@ -580,7 +580,7 @@ static void decodehtml(char *s)
     *p = '\0';
 }
 
-static void add_include_vars(request_rec *r, const char *timefmt)
+static void add_include_vars(request_rec *r)
 {
     apr_table_t *e = r->subprocess_env;
     char *t;
@@ -608,26 +608,17 @@ static void add_include_vars(request_rec *r, const char *timefmt)
     }
 }
 
-static const char *add_include_vars_lazy(request_rec *r, const char *var)
+static const char *add_include_vars_lazy(request_rec *r, const char *var, const char *timefmt)
 {
     char *val;
     if (!strcasecmp(var, "DATE_LOCAL")) {
-        include_dir_config *conf =
-            (include_dir_config *)ap_get_module_config(r->per_dir_config,
-                                                       &include_module);
-        val = ap_ht_time(r->pool, r->request_time, conf->default_time_fmt, 0);
+        val = ap_ht_time(r->pool, r->request_time, timefmt, 0);
     }
     else if (!strcasecmp(var, "DATE_GMT")) {
-        include_dir_config *conf =
-            (include_dir_config *)ap_get_module_config(r->per_dir_config,
-                                                       &include_module);
-        val = ap_ht_time(r->pool, r->request_time, conf->default_time_fmt, 1);
+        val = ap_ht_time(r->pool, r->request_time, timefmt, 1);
     }
     else if (!strcasecmp(var, "LAST_MODIFIED")) {
-        include_dir_config *conf =
-            (include_dir_config *)ap_get_module_config(r->per_dir_config,
-                                                       &include_module);
-        val = ap_ht_time(r->pool, r->finfo.mtime, conf->default_time_fmt, 0);
+        val = ap_ht_time(r->pool, r->finfo.mtime, timefmt, 0);
     }
     else if (!strcasecmp(var, "USER_NAME")) {
         if (apr_uid_name_get(&val, r->finfo.user, r->pool) != APR_SUCCESS) {
@@ -684,7 +675,7 @@ static const char *get_include_var(const char *var, include_ctx_t *ctx)
         val = apr_table_get(r->subprocess_env, var);
 
         if (val == LAZY_VALUE) {
-            val = add_include_vars_lazy(r, var);
+            val = add_include_vars_lazy(r, var, ctx->time_str);
         }
     }
 
@@ -2424,7 +2415,7 @@ static apr_status_t handle_printenv(include_ctx_t *ctx, ap_filter_t *f,
         /* get value */
         val_text = elts[i].val;
         if (val_text == LAZY_VALUE) {
-            val_text = add_include_vars_lazy(r, elts[i].key);
+            val_text = add_include_vars_lazy(r, elts[i].key, ctx->time_str);
         }
         val_text = ap_escape_html(ctx->dpool, elts[i].val);
         v_len = strlen(val_text);
@@ -3609,7 +3600,7 @@ static apr_status_t includes_filter(ap_filter_t *f, apr_bucket_brigade *b)
          * environment */
         ap_add_common_vars(r);
         ap_add_cgi_vars(r);
-        add_include_vars(r, conf->default_time_fmt);
+        add_include_vars(r);
     }
     /* Always unset the content-length.  There is no way to know if
      * the content will be modified at some point by send_parsed_content.