httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Joe Orton <>
Subject Re: Includes vs IncludesNoExec security issue - help needed
Date Fri, 08 May 2009 14:45:42 GMT
On Tue, Apr 28, 2009 at 02:48:52PM +0100, Joe Orton wrote:
> 5) I'll post an updated patch soon which fixes the behaviour of "Options 
> Includes"/"Options +IncludesNoExec" such that SSI is permitted without 
> exec, as is the current 2.2.x behaviour, since that seems to be the 
> rough consensus.  Jon also spotted a minor logic flaw in the patch which 
> I'll fix too.

Rather than posting another round, I've committed the updated patch 
which includes those changes:

Along with a test suite:

For reference, this issue has been assigned CVE name CVE-2009-1195.

Thanks a lot to everybody who has helped out with this issue.

Regards, Joe

View raw message