httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "William A. Rowe, Jr." <wr...@rowe-clan.net>
Subject Re: svn commit: r773881 - in /httpd/httpd/branches/2.2.x: CHANGES STATUS include/http_core.h modules/filters/mod_include.c server/config.c server/core.c
Date Fri, 22 May 2009 21:10:44 GMT
Jeff Trawick wrote:
> 
> Backing up a bit...
> 
> I originally thought we could map bit values in 2.2.x to avoid affecting
> modules, but that isn't possible since includes-with-exec is two bits
> instead of one.

Hold on... I think this can still work;

  * Retain new true 'Includes' bit as old IncludesNoExec macro value
    Keep ancient Includes flag bit as 256, never true.

  - all httpd modules testing for including but not executing
    permission see the permission as allowed

  - old httpd modules testing for includes with exec permission
    see the permission as denied, until they update the module

  - httpd modules which force/override the includes without exec
    permission would still work

  - httpd modules which force/override the includes exec behavior
    would just fail to update anything (256 & 0xff == 00), so it
    becomes a noop until they update the module

So it has no negative security consequences, still would require
an update to the rare module, but lets us ship something without
really nasty side effects.




Mime
View raw message