-*- coding: utf-8 -*-
Changes with Apache 2.2.1
+ *) PR#38070: Avoid Server-driven negotiation when a script has
+ emitted an explicit Status: header.
+
*) Fix to avoid feeding C99 to C++ compilers [Joe Orton]
*) SECURITY: CVE-2005-3357 (cve.mitre.org)
+1: rpluem, niq
NOTE: this also supersedes previous fix to PR#37790
- * util_script: Fix PR#38070 - Honour a CGI Status header correctly
- http://svn.apache.org/viewcvs?rev=370692&view=rev
- +1: niq, colm, wrowe
-
* Solaris build proposal; don't fail on missing .h files within
a VPATH build, and don't test trees with -d (simply -f the
expected files) in case a tree such as srclib/apr is actually
return 1;
}
+#define HTTP_UNSET (-HTTP_OK)
+
AP_DECLARE(int) ap_scan_script_header_err_core(request_rec *r, char *buffer,
int (*getsfunc) (char *, int, void *),
void *getsfunc_data)
char x[MAX_STRING_LEN];
char *w, *l;
int p;
- int cgi_status = HTTP_OK;
+ int cgi_status = HTTP_UNSET;
apr_table_t *merge;
apr_table_t *cookie_table;
if (w[0] == '\0') {
int cond_status = OK;
- if ((cgi_status == HTTP_OK) && (r->method_number == M_GET)) {
+ /* PR#38070: This fails because it gets confused when a
+ * CGI Status header overrides ap_meets_conditions.
+ *
+ * We can fix that by dropping ap_meets_conditions when
+ * Status has been set. Since this is the only place
+ * cgi_status gets used, let's test it explicitly.
+ *
+ * The alternative would be to ignore CGI Status when
+ * ap_meets_conditions returns anything interesting.
+ * That would be safer wrt HTTP, but would break CGI.
+ */
+ if ((cgi_status == HTTP_UNSET) && (r->method_number == M_GET)) {
cond_status = ap_meets_conditions(r);
}
apr_table_overlap(r->err_headers_out, merge,
projects / thirdparty / apache / httpd.git / commitdiff
