httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Joe Orton <jor...@redhat.com>
Subject Re: svn commit: r773881 - in /httpd/httpd/branches/2.2.x: CHANGES STATUS include/http_core.h modules/filters/mod_include.c server/config.c server/core.c
Date Wed, 20 May 2009 12:53:19 GMT
On Sun, May 17, 2009 at 11:15:00AM -0400, Jeff Trawick wrote:
> On Tue, May 12, 2009 at 9:17 AM, <covener@apache.org> wrote:
> 
> > Author: covener
> > Date: Tue May 12 13:17:29 2009
> > New Revision: 773881
> >
> > URL: http://svn.apache.org/viewvc?rev=773881&view=rev
> > Log:
> > backport 772997, 773322, 773342 from trunk.
> > Reviewed By: jorton, rpluem, covener
> >
> > Security fix for CVE-2009-1195: fix Options handling such that
> > 'AllowOverride Options=IncludesNoExec' does not permit Includes with
> > exec= enabled to be configured in an .htaccess file:
> >
> > * include/http_core.h: Change semantics of Includes/IncludeNoExec
> >  options bits to be additive; OPT_INCLUDES now means SSI is enabled
> >  without exec=.  OPT_INCLUDES|OPT_INC_WITH_EXEC means SSI is enabled
> >  with exec=.
> 
> 
> Current mod_perl tarballs reference OPT_INC_WITH_EXEC as part of mapping the
> httpd API into perl, and the mod_perl build fails because of this.
>
> ("modperl_config.c", line 525: undefined symbol: OPT_INCNOEXEC)

Ick :( For some reason I thought this was hidden by CORE_PRIVATE, for 
what little that's worth.
 
> While I don't understand why the mod_perl mappings are created at release
> time against who knows what httpd, it brings up an interesting httpd issue
> anyway.
> 
> If some module does have OPT_INCNOEXEC baked in (32), it matches what
> 2.2.12+ thinks is OPT_INC_WITH_EXEC.  Similarly, the old OPT_INC_WITH_EXEC
> (previously called OPT_INCLUDES), maps what 2.2.12+ thinks is
> OPT_INCLUDES-without-exec.
> 
> We could swap the values of OPT_INCLUDES and OPT_INC_WITH_EXEC to lessen the
> chance of some theoretical module making the wrong decision.
> 
> We can also define OPT_INCNOEXEC to something (either the new OPT_INCLUDES
> or "Get your mod_perl patch at XXX").

Given that the semantics of the options has changed, I don't think it's 
worth changing httpd to maintain any pretence of compile-time or 
run-time compatibility here.  Any code using the OPT_* constants as 
exposed by mod_perl cannot work as expected any more.

Regards, Joe

Mime
View raw message