httpd-cvs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From jwool...@apache.org
Subject cvs commit: httpd-2.0/modules/filters mod_include.c
Date Mon, 27 Aug 2001 14:43:19 GMT
jwoolley    01/08/27 07:43:19

  Modified:    .        CHANGES
               modules/filters mod_include.c
  Log:
  The consensus now is that mod_include should just butt out of any decisions
  about what to do with different request methods.  It's true that mod_include
  in 1.3.x did not allow POST, but back then it was a handler.  Now it's a
  filter and can be used to filter the output of dynamically generated responses,
  even ones resulting from a POST request.  So if mod_include is in the filter
  stack, it should just blindly parse the brigade regardless of request method.
  
  This still fixes the security problem, it just fixes it by being more flexible
  rather than less so.
  
  Revision  Changes    Path
  1.334     +4 -0      httpd-2.0/CHANGES
  
  Index: CHANGES
  ===================================================================
  RCS file: /home/cvs/httpd-2.0/CHANGES,v
  retrieving revision 1.333
  retrieving revision 1.334
  diff -u -d -u -r1.333 -r1.334
  --- CHANGES	2001/08/27 06:00:51	1.333
  +++ CHANGES	2001/08/27 14:43:19	1.334
  @@ -16,6 +16,10 @@
        only runs against real <Directory > blocks.
        [William Rowe]
   
  +  *) Fix a security problem in mod_include which would allow
  +     an SSI document to be passed to the client unparsed.
  +     [Cliff Woolley, Brian Pane]
  +
     *) Introduce the map_to_storage hook, which allows modules to bypass
        the directory_walk and file_walk for non-file requests.  TRACE
        shortcut moved to http_protocol.c as APR_HOOK_MIDDLE, and the
  
  
  
  1.135     +0 -12     httpd-2.0/modules/filters/mod_include.c
  
  Index: mod_include.c
  ===================================================================
  RCS file: /home/cvs/httpd-2.0/modules/filters/mod_include.c,v
  retrieving revision 1.134
  retrieving revision 1.135
  diff -u -d -u -r1.134 -r1.135
  --- mod_include.c	2001/08/26 00:00:39	1.134
  +++ mod_include.c	2001/08/27 14:43:19	1.135
  @@ -2728,18 +2728,6 @@
       if (!(ap_allow_options(r) & OPT_INCLUDES)) {
           return ap_pass_brigade(f->next, b);
       }
  -    if (r->method_number != M_GET) {
  -        ap_allow_methods(r, REPLACE_ALLOW, "GET", "OPTIONS", NULL);
  -        if (r->method_number == M_OPTIONS) {
  -            /* it's too late to set the Allow header the "right way" */
  -            apr_table_setn(r->headers_out, "Allow",
  -                           "GET, HEAD, OPTIONS, TRACE");
  -            return ap_pass_brigade(f->next, b);
  -        }
  -        r->status = HTTP_METHOD_NOT_ALLOWED;
  -        ap_send_error_response(r, 0);
  -        return APR_SUCCESS;
  -    }
   
       if (!f->ctx) {
           f->ctx    = ctx      = apr_pcalloc(f->c->pool, sizeof(*ctx));
  
  
  

Mime
View raw message