Reviewed By: jorton, rpluem, covener
Security fix for CVE-2009-1195: fix Options handling such that
'AllowOverride Options=IncludesNoExec' does not permit Includes with
exec= enabled to be configured in an .htaccess file:
* include/http_core.h: Change semantics of Includes/IncludeNoExec
options bits to be additive; OPT_INCLUDES now means SSI is enabled
without exec=. OPT_INCLUDES|OPT_INC_WITH_EXEC means SSI is enabled
with exec=.
* server/core.c (create_core_dir_config): Remove defunct OPT_INCNOEXEC
from default override_opts; no functional change.
(merge_core_dir_configs): Update logic to ensure that exec= is
disabled in a context where IncludesNoexec is configured, even if
Includes-with-exec is permitted in the inherited options set.
(set_allow_opts, set_options): Update to reflect new semantics
of OPT_INCLUDES, OPT_INC_WITH_EXEC.
* server/config.c: Update to remove OPT_INCNOEXEC from default
override_opts; no functional change.
* modules/filters/mod_include.c (includes_filter): Update to reflect
new options semantics - disable exec= support if the
OPT_INC_WITH_EXEC bit is not set.
Submitted by: Jonathan Peatfield <j.s.peatfield damtp.cam.ac.uk>,
jorton
Thanks to: Vincent Danon <vdanon redhat.com>
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.2.x@773881
13f79535-47bb-0310-9956-
ffa450edef68
*) mod_rewrite: When evaluating a proxy rule in directory context, do
escape the filename by default. PR 46428 [Joe Orton]
+ *) SECURITY: CVE-2009-1195 (cve.mitre.org)
+ Prevent the "Includes" Option from being enabled in an .htaccess
+ file if the AllowOverride restrictions do not permit it.
+ [Jonathan Peatfield <j.s.peatfield damtp.cam.ac.uk>, Joe Orton,
+ Ruediger Pluem]
+
*) mod_proxy_ajp: Check more strictly that the backend follows the AJP
protocol. [Mladen Turk]
PATCHES ACCEPTED TO BACKPORT FROM TRUNK:
[ start all new proposals below, under PATCHES PROPOSED. ]
- * CVE-2009-1195 security fix for Includes merging.
- trunk version of patch:
- http://svn.apache.org/viewvc?rev=772997&view=rev
- http://svn.apache.org/viewvc?rev=773322&view=rev
- http://svn.apache.org/viewvc?rev=773342&view=rev
- 2.2.x patch:
- http://people.apache.org/~jorton/2.2.x-CVE-2009-1195.patch
- (unmodified merge from trunk + CHANGES entry)
- +1: jorton, rpluem, covener
-
PATCHES PROPOSED TO BACKPORT FROM TRUNK:
[ New proposals should be added at the end of the list ]
#define OPT_NONE 0
/** Indexes directive */
#define OPT_INDEXES 1
-/** Includes directive */
+/** SSI is enabled without exec= permission */
#define OPT_INCLUDES 2
/** FollowSymLinks directive */
#define OPT_SYM_LINKS 4
#define OPT_EXECCGI 8
/** directive unset */
#define OPT_UNSET 16
-/** IncludesNOEXEC directive */
-#define OPT_INCNOEXEC 32
+/** SSI exec= permission is permitted, iff OPT_INCLUDES is also set */
+#define OPT_INC_WITH_EXEC 32
/** SymLinksIfOwnerMatch directive */
#define OPT_SYM_OWNER 64
/** MultiViews directive */
#define OPT_MULTI 128
/** All directives */
-#define OPT_ALL (OPT_INDEXES|OPT_INCLUDES|OPT_SYM_LINKS|OPT_EXECCGI)
+#define OPT_ALL (OPT_INDEXES|OPT_INCLUDES|OPT_INC_WITH_EXEC|OPT_SYM_LINKS|OPT_EXECCGI)
/** @} */
/**
intern->seen_eos = 0;
intern->state = PARSE_PRE_HEAD;
ctx->flags = (SSI_FLAG_PRINTING | SSI_FLAG_COND_TRUE);
- if (ap_allow_options(r) & OPT_INCNOEXEC) {
+ if ((ap_allow_options(r) & OPT_INC_WITH_EXEC) == 0) {
ctx->flags |= SSI_FLAG_NO_EXEC;
}
intern->accessenable = conf->accessenable;
parms.temp_pool = ptemp;
parms.server = s;
parms.override = (RSRC_CONF | OR_ALL) & ~(OR_AUTHCFG | OR_LIMIT);
- parms.override_opts = OPT_ALL | OPT_INCNOEXEC | OPT_SYM_OWNER | OPT_MULTI;
+ parms.override_opts = OPT_ALL | OPT_SYM_OWNER | OPT_MULTI;
parms.config_file = ap_pcfg_open_custom(p, "-c/-C directives",
&arr_parms, NULL,
parms.temp_pool = ptemp;
parms.server = s;
parms.override = (RSRC_CONF | OR_ALL) & ~(OR_AUTHCFG | OR_LIMIT);
- parms.override_opts = OPT_ALL | OPT_INCNOEXEC | OPT_SYM_OWNER | OPT_MULTI;
+ parms.override_opts = OPT_ALL | OPT_SYM_OWNER | OPT_MULTI;
rv = ap_pcfg_openfile(&cfp, p, fname);
if (rv != APR_SUCCESS) {
parms.temp_pool = ptemp;
parms.server = s;
parms.override = (RSRC_CONF | OR_ALL) & ~(OR_AUTHCFG | OR_LIMIT);
- parms.override_opts = OPT_ALL | OPT_INCNOEXEC | OPT_SYM_OWNER | OPT_MULTI;
+ parms.override_opts = OPT_ALL | OPT_SYM_OWNER | OPT_MULTI;
parms.limited = -1;
errmsg = ap_walk_config(conftree, &parms, s->lookup_defaults);
conf->opts = dir ? OPT_UNSET : OPT_UNSET|OPT_ALL;
conf->opts_add = conf->opts_remove = OPT_NONE;
conf->override = dir ? OR_UNSET : OR_UNSET|OR_ALL;
- conf->override_opts = OPT_UNSET | OPT_ALL | OPT_INCNOEXEC | OPT_SYM_OWNER
- | OPT_MULTI;
+ conf->override_opts = OPT_UNSET | OPT_ALL | OPT_SYM_OWNER | OPT_MULTI;
conf->content_md5 = 2;
conf->accept_path_info = 3;
conf->opts_remove = (conf->opts_remove & ~new->opts_add)
| new->opts_remove;
conf->opts = (conf->opts & ~conf->opts_remove) | conf->opts_add;
- if ((base->opts & OPT_INCNOEXEC) && (new->opts & OPT_INCLUDES)) {
- conf->opts = (conf->opts & ~OPT_INCNOEXEC) | OPT_INCLUDES;
+
+ /* If Includes was enabled with exec in the base config, but
+ * was enabled without exec in the new config, then disable
+ * exec in the merged set. */
+ if (((base->opts & (OPT_INCLUDES|OPT_INC_WITH_EXEC))
+ == (OPT_INCLUDES|OPT_INC_WITH_EXEC))
+ && ((new->opts & (OPT_INCLUDES|OPT_INC_WITH_EXEC))
+ == OPT_INCLUDES)) {
+ conf->opts &= ~OPT_INC_WITH_EXEC;
}
}
else {
opt = OPT_INDEXES;
}
else if (!strcasecmp(w, "Includes")) {
- opt = OPT_INCLUDES;
+ /* If Includes is permitted, both Includes and
+ * IncludesNOEXEC may be changed. */
+ opt = (OPT_INCLUDES | OPT_INC_WITH_EXEC);
}
else if (!strcasecmp(w, "IncludesNOEXEC")) {
- opt = (OPT_INCLUDES | OPT_INCNOEXEC);
+ opt = OPT_INCLUDES;
}
else if (!strcasecmp(w, "FollowSymLinks")) {
opt = OPT_SYM_LINKS;
opt = OPT_INDEXES;
}
else if (!strcasecmp(w, "Includes")) {
- opt = OPT_INCLUDES;
+ opt = (OPT_INCLUDES | OPT_INC_WITH_EXEC);
}
else if (!strcasecmp(w, "IncludesNOEXEC")) {
- opt = (OPT_INCLUDES | OPT_INCNOEXEC);
+ opt = OPT_INCLUDES;
}
else if (!strcasecmp(w, "FollowSymLinks")) {
opt = OPT_SYM_LINKS;
projects / thirdparty / apache / httpd.git / commitdiff
