From: Joe Orton <jorton@apache.org>
Date: Mon, 19 Jan 2026 14:25:20 +0000 (+0000)
Subject: Adds test for SSI query string injection
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=a261a61a11b1d85ed004fe47c35dbe34642cac44;p=thirdparty%2Fapache%2Fhttpd.git

Adds test for SSI query string injection

Submitted by: Giannis Christodoulou <io.xristod gmail.com>
Github: closes #591


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1931423 13f79535-47bb-0310-9956-ffa450edef68
---

diff --git a/test/modules/core/env.py b/test/modules/core/env.py
index 9c63380503..9124a28f26 100644
--- a/test/modules/core/env.py
+++ b/test/modules/core/env.py
@@ -12,7 +12,7 @@ class CoreTestSetup(HttpdTestSetup):
     def __init__(self, env: 'HttpdTestEnv'):
         super().__init__(env=env)
         self.add_source_dir(os.path.dirname(inspect.getfile(CoreTestSetup)))
-        self.add_modules(["cgid"])
+        self.add_modules(["cgid","include"])
 
 
 class CoreTestEnv(HttpdTestEnv):
diff --git a/test/modules/core/htdocs/ssi/exec.shtml b/test/modules/core/htdocs/ssi/exec.shtml
new file mode 100644
index 0000000000..e98afb15dd
--- /dev/null
+++ b/test/modules/core/htdocs/ssi/exec.shtml
@@ -0,0 +1 @@
+<!--#exec cmd="echo SSI_OK" -->
\ No newline at end of file
diff --git a/test/modules/core/test_004_ssi.py b/test/modules/core/test_004_ssi.py
new file mode 100644
index 0000000000..a4fe03a7f1
--- /dev/null
+++ b/test/modules/core/test_004_ssi.py
@@ -0,0 +1,32 @@
+import pytest
+import textwrap
+
+from pyhttpd.conf import HttpdConf
+
+class TestSSIInjection:
+
+    @pytest.fixture(autouse=True, scope="class")
+    def _class_scope(self, env):
+        conf = HttpdConf(env, extras={
+            "base": textwrap.dedent(f"""
+            <Directory "{env.gen_dir}">
+                Options +Includes
+                AddType text/html .shtml
+                AddOutputFilter INCLUDES .shtml
+            </Directory>
+            """)
+        })
+        conf.install()
+        assert env.apache_restart() == 0
+
+    def test_ssi_004_01(self, env):
+        """
+        CVE-2025-58098:
+        Server Side Includes must not add query string to #exec cmd=...
+        """
+        url = env.mkurl("http", "htdocs", "/ssi/exec.shtml?INJECTED")
+        r = env.curl_get(url)
+
+        body = r.response["body"].decode("utf-8")
+        assert "SSI_OK" in body
+        assert "INJECTED" not in body
\ No newline at end of file