httpd-cvs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From jwool...@apache.org
Subject cvs commit: httpd-2.0/modules/filters mod_include.c
Date Sun, 26 Aug 2001 00:00:39 GMT
jwoolley    01/08/25 17:00:39

  Modified:    .        CHANGES
               modules/filters mod_include.c
  Log:
  Fix a security problem which would allow an SSI document
  to be passed to the client unparsed.
  
  Reported by:	Brian Pane
  
  Revision  Changes    Path
  1.330     +4 -0      httpd-2.0/CHANGES
  
  Index: CHANGES
  ===================================================================
  RCS file: /home/cvs/httpd-2.0/CHANGES,v
  retrieving revision 1.329
  retrieving revision 1.330
  diff -u -d -u -r1.329 -r1.330
  --- CHANGES	2001/08/25 23:43:18	1.329
  +++ CHANGES	2001/08/26 00:00:39	1.330
  @@ -1,5 +1,9 @@
   Changes with Apache 2.0.25-dev
   
  +  *) Fix a security problem in mod_include which would allow
  +     an SSI document to be passed to the client unparsed.
  +     [Cliff Woolley, Brian Pane, William Rowe]
  +
     *) Introduce the map_to_storage hook, which allows modules to bypass
        the directory_walk and file_walk for non-file requests.  TRACE
        shortcut moved to http_protocol.c as APR_HOOK_MIDDLE, and the
  
  
  
  1.134     +10 -2     httpd-2.0/modules/filters/mod_include.c
  
  Index: mod_include.c
  ===================================================================
  RCS file: /home/cvs/httpd-2.0/modules/filters/mod_include.c,v
  retrieving revision 1.133
  retrieving revision 1.134
  diff -u -d -u -r1.133 -r1.134
  --- mod_include.c	2001/08/25 05:26:05	1.133
  +++ mod_include.c	2001/08/26 00:00:39	1.134
  @@ -2728,9 +2728,17 @@
       if (!(ap_allow_options(r) & OPT_INCLUDES)) {
           return ap_pass_brigade(f->next, b);
       }
  -    r->allowed |= (AP_METHOD_BIT << M_GET);
       if (r->method_number != M_GET) {
  -        return ap_pass_brigade(f->next, b);
  +        ap_allow_methods(r, REPLACE_ALLOW, "GET", "OPTIONS", NULL);
  +        if (r->method_number == M_OPTIONS) {
  +            /* it's too late to set the Allow header the "right way" */
  +            apr_table_setn(r->headers_out, "Allow",
  +                           "GET, HEAD, OPTIONS, TRACE");
  +            return ap_pass_brigade(f->next, b);
  +        }
  +        r->status = HTTP_METHOD_NOT_ALLOWED;
  +        ap_send_error_response(r, 0);
  +        return APR_SUCCESS;
       }
   
       if (!f->ctx) {
  
  
  

Mime
View raw message