Fix merging of the Satisfy directive, which was applied to
the surrounding context and could allow access despite configured
authentication.
PR: 31315
Submitted by: Rici Lake <rici ricilake.net>
Reviewed by: jorton, nd, pquerna, geoff
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/APACHE_2_0_BRANCH@105227
13f79535-47bb-0310-9956-
ffa450edef68
Changes with Apache 2.0.52
+ *) SECURITY: CAN-2004-0811 (cve.mitre.org)
+ Fix merging of the Satisfy directive, which was applied to
+ the surrounding context and could allow access despite configured
+ authentication. PR 31315. [Rici Lake <rici ricilake.net>]
+
*) Fix the handling of URIs containing %2F when AllowEncodedSlashes
is enabled. Previously, such urls would still be rejected.
[Jeff Trawick, Bill Stoddard]
APACHE 2.0 STATUS: -*-text-*-
-Last modified at [$Date: 2004/09/21 01:36:46 $]
+Last modified at [$Date: 2004/09/21 13:21:13 $]
Release:
[ please place file names and revisions from HEAD here, so it is easy to
identify exactly what the proposed changes are! ]
- *) Fix Satisfy merging regression in 2.0.51.
- http://cvs.apache.org/viewcvs.cgi/httpd-2.0/server/core.c?r1=1.285&r2=1.286
- PR: 31315
- +1: jorton, nd, pquerna, geoff
-
*) Fix the global mutex crash when the global mutex is never allocated
due to disabled/empty caches.
modules/ldap/util_ldap.c: 1.13
/* Otherwise we simply use the base->sec_file array
*/
+ /* use a separate ->satisfy[] array either way */
+ conf->satisfy = apr_palloc(a, sizeof(*conf->satisfy) * METHODS);
for (i = 0; i < METHODS; ++i) {
if (new->satisfy[i] != SATISFY_NOSPEC) {
conf->satisfy[i] = new->satisfy[i];
+ } else {
+ conf->satisfy[i] = base->satisfy[i];
}
}
projects / thirdparty / apache / httpd.git / commitdiff
