]> git.ipfire.org Git - thirdparty/apache/httpd.git/commit
Security fix for CVE-2009-1195: fix Options handling such that
authorJoe Orton <jorton@apache.org>
Fri, 8 May 2009 14:13:15 +0000 (14:13 +0000)
committerJoe Orton <jorton@apache.org>
Fri, 8 May 2009 14:13:15 +0000 (14:13 +0000)
commit489bc420ddbbb3ba7bd6f4b8b8e44fc4183deaf0
tree81e278677e42d8ad3874e46d8b824ae1dde4b8fd
parent6ea0ab9e0af61eb500c3b34b49559aa999147c3c
Security fix for CVE-2009-1195: fix Options handling such that
'AllowOverride Options=IncludesNoExec' does not permit Includes with
exec= enabled to be configured in an .htaccess file:

* include/http_core.h: Change semantics of Includes/IncludeNoExec
  options bits to be additive; OPT_INCLUDES now means SSI is enabled
  without exec=.  OPT_INCLUDES|OPT_INC_WITH_EXEC means SSI is enabled
  with exec=.

* server/core.c (create_core_dir_config): Remove defunct OPT_INCNOEXEC
  from default override_opts; no functional change.
  (merge_core_dir_configs): Update logic to ensure that exec= is
  disabled in a context where IncludesNoexec is configured, even if
  Includes-with-exec is permitted in the inherited options set.
  (set_allow_opts, set_options): Update to reflect new semantics
  of OPT_INCLUDES, OPT_INC_WITH_EXEC.

* server/config.c: Update to remove OPT_INCNOEXEC from default
  override_opts; no functional change.

* modules/filters/mod_include.c (includes_filter): Update to reflect
  new options semantics - disable exec= support if the
  OPT_INC_WITH_EXEC bit is not set.

Submitted by: Jonathan Peatfield <j.s.peatfield damtp.cam.ac.uk>,
          jorton
Thanks to: Vincent Danon <vdanon redhat.com>

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@772997 13f79535-47bb-0310-9956-ffa450edef68
include/http_core.h
modules/filters/mod_include.c
server/config.c
server/core.c