merging of RewriteBase. Merging was off until 2.2.22
and turned on unconditionally in 2.2.23.
PR 53963.
Submitted by: covener
Backport by: rjung
Reviewed by: wrowe, covener
Merge of r1410681 and r1447426 from trunk resp.
r1418954 and r1447448 from 2.4.x.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.2.x@
1447508 13f79535-47bb-0310-9956-
ffa450edef68
XSS in mod_proxy_balancer manager interface. [Jim Jagielski,
Niels Heinen <heinenn google com>]
+ *) mod_rewrite: Stop mergeing RewriteBase down to subdirectories
+ unless new option 'RewriteOptions MergeBase' is configured.
+ Merging RewriteBase was unconditionally turned on in 2.2.23.
+ PR 53963. [Eric Covener]
+
*) mod_ssl: Send the error message for speaking http to an https port using
HTTP/1.0 instead of HTTP/0.9, and omit the link that may be wrong when
using SNI. PR 50823. [Stefan Fritsch]
PATCHES ACCEPTED TO BACKPORT FROM TRUNK:
[ start all new proposals below, under PATCHES PROPOSED. ]
- * mod_rewrite: Add an opt-in RewriteOption to control merging of RewriteBase.
- Merging would be off by default, which is the same as the pre 2.2.23
- behaviour.
- PR 53963
- trunk patch: http://svn.apache.org/viewvc?view=revision&revision=1410681
- http://svn.apache.org/viewvc?view=revision&revision=1447426
- 2.4.x patch: http://svn.apache.org/viewvc?view=revision&revision=1418954
- http://svn.apache.org/viewvc?view=revision&revision=1447448
- 2.2.x patch: http://people.apache.org/~rjung/patches/rewriteoption-mergebase-2_2.patch
- +1: rjung, wrowe (same observation as covener)
- +1: covener (docs need tweak to note 2.2.23 instead of 2.4.0-2.4.3)
-
PATCHES PROPOSED TO BACKPORT FROM TRUNK:
[ New proposals should be added at the end of the list ]
</note>
</dd>
+ <dt><code>MergeBase</code></dt>
+ <dd>
+
+ <p>With this option, the value of <directive module="mod_rewrite"
+ >RewriteBase</directive> is copied from where it's explicitly defined
+ into any sub-directory or sub-location that doesn't define its own
+ <directive module="mod_rewrite">RewriteBase</directive>. Not copying
+ was the default until 2.2.22. In version 2.2.23 copying was the default.
+ The flag to explicitly control it is available for Apache HTTP
+ Server 2.2.24 and later.</p>
+ </dd>
</dl>
</usage>
#define OPTION_NONE 1<<0
#define OPTION_INHERIT 1<<1
#define OPTION_ANYURI 1<<4
+#define OPTION_MERGEBASE 1<<5
#ifndef RAND_MAX
#define RAND_MAX 32767
a->state_set = overrides->state_set || base->state_set;
a->options = (overrides->options_set == 0) ? base->options : overrides->options;
a->options_set = overrides->options_set || base->options_set;
- a->baseurl = (overrides->baseurl_set == 0) ? base->baseurl : overrides->baseurl;
- a->baseurl_set = overrides->baseurl_set || base->baseurl_set;
+
+ if (a->options & OPTION_MERGEBASE) {
+ a->baseurl = (overrides->baseurl_set == 0) ? base->baseurl : overrides->baseurl;
+ a->baseurl_set = overrides->baseurl_set || base->baseurl_set;
+ }
+ else {
+ a->baseurl = overrides->baseurl;
+ }
a->directory = overrides->directory;
else if (!strcasecmp(w, "allowanyuri")) {
options |= OPTION_ANYURI;
}
+ else if (!strcasecmp(w, "mergebase")) {
+ options |= OPTION_MERGEBASE;
+ }
else {
return apr_pstrcat(cmd->pool, "RewriteOptions: unknown option '",
w, "'", NULL);
projects / thirdparty / apache / httpd.git / commitdiff
