httpd-cvs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From ge...@apache.org
Subject cvs commit: httpd-2.0/server core.c
Date Tue, 21 Sep 2004 13:21:22 GMT
geoff       2004/09/21 06:21:21

  Modified:    .        Tag: APACHE_2_0_BRANCH CHANGES STATUS
               server   Tag: APACHE_2_0_BRANCH core.c
  Log:
  SECURITY: CAN-2004-0811 (cve.mitre.org)
  Fix merging of the Satisfy directive, which was applied to
  the surrounding context and could allow access despite configured
  authentication.
  PR: 31315
  Submitted by:	Rici Lake <rici ricilake.net>
  Reviewed by:	jorton, nd, pquerna, geoff
  
  Revision  Changes    Path
  No                   revision
  No                   revision
  1.988.2.357 +5 -0      httpd-2.0/CHANGES
  
  Index: CHANGES
  ===================================================================
  RCS file: /home/cvs/httpd-2.0/CHANGES,v
  retrieving revision 1.988.2.356
  retrieving revision 1.988.2.357
  diff -u -r1.988.2.356 -r1.988.2.357
  --- CHANGES	18 Sep 2004 00:43:59 -0000	1.988.2.356
  +++ CHANGES	21 Sep 2004 13:21:12 -0000	1.988.2.357
  @@ -1,5 +1,10 @@
   Changes with Apache 2.0.52
   
  +  *) SECURITY: CAN-2004-0811 (cve.mitre.org)
  +     Fix merging of the Satisfy directive, which was applied to
  +     the surrounding context and could allow access despite configured
  +     authentication.  PR 31315.  [Rici Lake <rici ricilake.net>]
  +
     *) Fix the handling of URIs containing %2F when AllowEncodedSlashes
        is enabled.  Previously, such urls would still be rejected.
        [Jeff Trawick, Bill Stoddard]
  
  
  
  1.751.2.1071 +1 -6      httpd-2.0/STATUS
  
  Index: STATUS
  ===================================================================
  RCS file: /home/cvs/httpd-2.0/STATUS,v
  retrieving revision 1.751.2.1070
  retrieving revision 1.751.2.1071
  diff -u -r1.751.2.1070 -r1.751.2.1071
  --- STATUS	21 Sep 2004 01:36:46 -0000	1.751.2.1070
  +++ STATUS	21 Sep 2004 13:21:13 -0000	1.751.2.1071
  @@ -74,11 +74,6 @@
     [ please place file names and revisions from HEAD here, so it is easy to
       identify exactly what the proposed changes are! ]
   
  -    *) Fix Satisfy merging regression in 2.0.51.
  -       http://cvs.apache.org/viewcvs.cgi/httpd-2.0/server/core.c?r1=1.285&r2=1.286
   
  -       PR: 31315
  -       +1: jorton, nd, pquerna, geoff
  -
       *) Fix the global mutex crash when the global mutex is never allocated
          due to disabled/empty caches.
            modules/ldap/util_ldap.c: 1.13
  
  
  
  No                   revision
  No                   revision
  1.225.2.28 +4 -0      httpd-2.0/server/core.c
  
  Index: core.c
  ===================================================================
  RCS file: /home/cvs/httpd-2.0/server/core.c,v
  retrieving revision 1.225.2.27
  retrieving revision 1.225.2.28
  diff -u -r1.225.2.27 -r1.225.2.28
  --- core.c	31 Aug 2004 08:16:56 -0000	1.225.2.27
  +++ core.c	21 Sep 2004 13:21:16 -0000	1.225.2.28
  @@ -351,9 +351,13 @@
       /* Otherwise we simply use the base->sec_file array
        */
   
  +    /* use a separate ->satisfy[] array either way */
  +    conf->satisfy = apr_palloc(a, sizeof(*conf->satisfy) * METHODS);
       for (i = 0; i < METHODS; ++i) {
           if (new->satisfy[i] != SATISFY_NOSPEC) {
               conf->satisfy[i] = new->satisfy[i];
  +        } else {
  +            conf->satisfy[i] = base->satisfy[i];
           }
       }
   
  
  
  

Mime
View raw message