* modules/ssl/ssl_engine_kernel.c (ssl_hook_Access): Omit further
access control checks if SSL is not in use regardless of vhost
settings.
Submitted by: rpluem, jorton
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.0.x@371643
13f79535-47bb-0310-9956-
ffa450edef68
-*- coding: utf-8 -*-
Changes with Apache 2.0.56
+ *) SECURITY: CVE-2005-3357 (cve.mitre.org)
+ mod_ssl: Fix a possible crash during access control checks if a
+ non-SSL request is processed for an SSL vhost (such as the
+ "HTTP request received on SSL port" error message when an 400
+ ErrorDocument is configured, or if using "SSLEngine optional").
+ PR 37791. [Rüdiger Plüm, Joe Orton]
+
*) Add ReceiveBufferSize directive to control the TCP receive buffer.
[Eric Covener <covener gmail.com>]
http://issues.apache.org/bugzilla/attachment.cgi?id=16995
+1: rpluem, colm, trawick
- *) mod_ssl: Fix PR37791 (CVEID: CAN-2005-3357) (SEGV if the client is
- connection plain to a SSL enabled port)
- Trunk version of patch:
- http://svn.apache.org/viewcvs.cgi?rev=354394&view=rev
- Backport version for 2.0.x of patch:
- http://issues.apache.org/bugzilla/attachment.cgi?id=17393
- +1: rpluem, colm, trawick
-
PATCHES PROPOSED TO BACKPORT FROM TRUNK:
[ please place SVN revisions from trunk here, so it is easy to
identify exactly what the proposed changes are! Add all new
}
/*
- * Check to see if SSL protocol is on
+ * Check to see whether SSL is in use; if it's not, then no
+ * further access control checks are relevant. (the test for
+ * sc->enabled is probably strictly unnecessary)
*/
- if (!(sc->enabled || ssl)) {
+ if (!sc->enabled || !ssl) {
return DECLINED;
}
+
/*
* Support for per-directory reconfigured SSL connection parameters.
*
projects / thirdparty / apache / httpd.git / commitdiff
