* server/core.c (merge_core_dir_configs): Fix Satisfy merging since

per-method Satisfy feature was added.

PR: 31315
Submitted by: Rici Lake <rici ricilake.net>

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@105215 13f79535-47bb-0310-9956-ffa450edef68

diff --git a/CHANGES b/CHANGES
index dbed042fe5c6d4ad381aaee899dc202939ab69db..ed6faf0e167725a31dc870566aeded170c4ea218 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -2,6 +2,11 @@ Changes with Apache 2.1.0-dev
 
   [Remove entries to the current 2.0 section below, when backported]
 
+  *) SECURITY: CAN-2004-0811 (cve.mitre.org)
+     Fix merging of the Satisfy directive, which was applied to 
+     the surrounding context and could allow access despite configured
+     authentication.  PR 31315.  [Rici Lake <rici ricilake.net>]
+
   *) Fix the global mutex crash when the global mutex is never allocated due
      to disabled/empty caches. [Jess Holle <jessh ptc.com>]
 

diff --git a/server/core.c b/server/core.c
index e5cb1880a4cdca148f7cf9d2efafd8e057327453..1e5a34ad91670dab0ffd1038e487dc2a92b1bced 100644 (file)
--- a/server/core.c
+++ b/server/core.c
@@ -353,9 +353,13 @@ static void *merge_core_dir_configs(apr_pool_t *a, void *basev, void *newv)
     /* Otherwise we simply use the base->sec_file array
      */
 
+    /* use a separate ->satisfy[] array either way */
+    conf->satisfy = apr_palloc(a, sizeof(*conf->satisfy) * METHODS);
     for (i = 0; i < METHODS; ++i) {
         if (new->satisfy[i] != SATISFY_NOSPEC) {
             conf->satisfy[i] = new->satisfy[i];
+        } else {
+            conf->satisfy[i] = base->satisfy[i];
         }
     }