*) CGI vars: allow PATH to be set by SetEnv, consistent with LD_LIBRARY_PATH
PR 43906 [Nick Kew]
+ *) Core: Extra robustness: don't try authz and segfault if authn
+ fails to set r->user. Log bug and return 500 instead.
+ PR 42995 [Nick Kew]
+
Changes with Apache 2.3.6
*) SECURITY: CVE-2009-3555 (cve.mitre.org)
if ((access_status = ap_run_check_user_id(r)) != OK) {
return decl_die(access_status, "check user", r);
}
+ if (r->user == NULL) {
+ /* don't let buggy authn module crash us in authz */
+ ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
+ "Buggy authn provider failed to set user for %s",
+ r->uri);
+ access_status = HTTP_INTERNAL_SERVER_ERROR;
+ return decl_die(access_status, "check user", r);
+ }
if ((access_status = ap_run_auth_checker(r)) != OK) {
return decl_die(access_status, "check authorization", r);
}
projects / thirdparty / apache / httpd.git / commitdiff
