-*- coding: utf-8 -*-
Changes with Apache 2.0.56
+ *) Fix PR#38070: Avoid server-driven negotiation when a CGI script
+ has emitted an explicit Status: header [Nick Kew].
+
*) SECURITY: CVE-2005-3357 (cve.mitre.org)
mod_ssl: Fix a possible crash during access control checks if a
non-SSL request is processed for an SSL vhost (such as the
http://svn.apache.org/viewcvs?view=rev&rev=154319
+1: stoddard, striker, wrowe (as corrected in subsequent patches)
- *) util_script: FIX PR38070, correctly honor a CGI Status: header.
- http://svn.apache.org/viewcvs?rev=370692&view=rev
- +1: colm,niq,wrowe
-
-
PATCHES PROPOSED TO BACKPORT FROM TRUNK:
[ please place SVN revisions from trunk here, so it is easy to
identify exactly what the proposed changes are! Add all new
return 1;
}
+#define HTTP_UNSET (-HTTP_OK)
+
AP_DECLARE(int) ap_scan_script_header_err_core(request_rec *r, char *buffer,
int (*getsfunc) (char *, int, void *),
void *getsfunc_data)
char x[MAX_STRING_LEN];
char *w, *l;
int p;
- int cgi_status = HTTP_OK;
+ int cgi_status = HTTP_UNSET;
apr_table_t *merge;
apr_table_t *cookie_table;
if (w[0] == '\0') {
int cond_status = OK;
- if ((cgi_status == HTTP_OK) && (r->method_number == M_GET)) {
+ /* PR#38070: This fails because it gets confused when a
+ * CGI Status header overrides ap_meets_conditions.
+ *
+ * We can fix that by dropping ap_meets_conditions when
+ * Status has been set. Since this is the only place
+ * cgi_status gets used, let's test it explicitly.
+ *
+ * The alternative would be to ignore CGI Status when
+ * ap_meets_conditions returns anything interesting.
+ * That would be safer wrt HTTP, but would break CGI.
+ */
+ if ((cgi_status == HTTP_UNSET) && (r->method_number == M_GET)) {
cond_status = ap_meets_conditions(r);
}
apr_table_overlap(r->err_headers_out, merge,
projects / thirdparty / apache / httpd.git / commitdiff
