Return-Path: Delivered-To: apmail-httpd-dev-archive@www.apache.org Received: (qmail 68154 invoked from network); 17 May 2009 15:15:32 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.3) by minotaur.apache.org with SMTP; 17 May 2009 15:15:32 -0000 Received: (qmail 54464 invoked by uid 500); 17 May 2009 15:15:30 -0000 Delivered-To: apmail-httpd-dev-archive@httpd.apache.org Received: (qmail 54369 invoked by uid 500); 17 May 2009 15:15:30 -0000 Mailing-List: contact dev-help@httpd.apache.org; run by ezmlm Precedence: bulk Reply-To: dev@httpd.apache.org list-help: list-unsubscribe: List-Post: List-Id: Delivered-To: mailing list dev@httpd.apache.org Received: (qmail 54360 invoked by uid 99); 17 May 2009 15:15:30 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Sun, 17 May 2009 15:15:30 +0000 X-ASF-Spam-Status: No, hits=2.2 required=10.0 tests=HTML_MESSAGE,SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (athena.apache.org: domain of trawick@gmail.com designates 72.14.220.156 as permitted sender) Received: from [72.14.220.156] (HELO fg-out-1718.google.com) (72.14.220.156) by apache.org (qpsmtpd/0.29) with ESMTP; Sun, 17 May 2009 15:15:22 +0000 Received: by fg-out-1718.google.com with SMTP id 16so995173fgg.17 for ; Sun, 17 May 2009 08:15:01 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:in-reply-to:references :date:message-id:subject:from:to:cc:content-type; bh=ExrUyMnbQJq3kbDD74c64B+eV6fiCQZEn6fbEzsx/9I=; b=uLbw7cxEYvtxZyKUYgtruIfEi5iJvAUajFzHdKUAYsLhCvTaSCWaT4nAK04TUptgFB hLXwYw8f6vz5IvmdDzlM9YF0+bgOKnCdFqmmuqWHbibEnrN8o9GerelzRuu/jkYGECgD sjXLuWFI0v5gMFIEiHxlaPIqNvYqNEm/o8UWc= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; b=rQudNiJyXKlgZOAto4S/gXbMBLp8qE/0mLZhOuBRYgxEvheQuHIhRfmlO9gviNk9Gv zC6OQl/6TKSgJTyuP6lRcWwDrCKGdL7t1HZzNV36zUVxrGUePb3ctLZwTW1Y5E/pJkd7 b7yfFwMQ758V6slRNCApgvjMPUeAkf+MTxoMg= MIME-Version: 1.0 Received: by 10.86.98.7 with SMTP id v7mr5817712fgb.58.1242573300763; Sun, 17 May 2009 08:15:00 -0700 (PDT) In-Reply-To: <20090512131730.1F03F2388842@eris.apache.org> References: <20090512131730.1F03F2388842@eris.apache.org> Date: Sun, 17 May 2009 11:15:00 -0400 Message-ID: Subject: Re: svn commit: r773881 - in /httpd/httpd/branches/2.2.x: CHANGES STATUS include/http_core.h modules/filters/mod_include.c server/config.c server/core.c From: Jeff Trawick To: dev@httpd.apache.org Cc: modperl@perl.apache.org Content-Type: multipart/alternative; boundary=000e0cd24d7e330de0046a1d2426 X-Virus-Checked: Checked by ClamAV on apache.org --000e0cd24d7e330de0046a1d2426 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit On Tue, May 12, 2009 at 9:17 AM, wrote: > Author: covener > Date: Tue May 12 13:17:29 2009 > New Revision: 773881 > > URL: http://svn.apache.org/viewvc?rev=773881&view=rev > Log: > backport 772997, 773322, 773342 from trunk. > Reviewed By: jorton, rpluem, covener > > Security fix for CVE-2009-1195: fix Options handling such that > 'AllowOverride Options=IncludesNoExec' does not permit Includes with > exec= enabled to be configured in an .htaccess file: > > * include/http_core.h: Change semantics of Includes/IncludeNoExec > options bits to be additive; OPT_INCLUDES now means SSI is enabled > without exec=. OPT_INCLUDES|OPT_INC_WITH_EXEC means SSI is enabled > with exec=. Current mod_perl tarballs reference OPT_INC_WITH_EXEC as part of mapping the httpd API into perl, and the mod_perl build fails because of this. ("modperl_config.c", line 525: undefined symbol: OPT_INCNOEXEC) While I don't understand why the mod_perl mappings are created at release time against who knows what httpd, it brings up an interesting httpd issue anyway. If some module does have OPT_INCNOEXEC baked in (32), it matches what 2.2.12+ thinks is OPT_INC_WITH_EXEC. Similarly, the old OPT_INC_WITH_EXEC (previously called OPT_INCLUDES), maps what 2.2.12+ thinks is OPT_INCLUDES-without-exec. We could swap the values of OPT_INCLUDES and OPT_INC_WITH_EXEC to lessen the chance of some theoretical module making the wrong decision. We can also define OPT_INCNOEXEC to something (either the new OPT_INCLUDES or "Get your mod_perl patch at XXX"). --000e0cd24d7e330de0046a1d2426 Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable
On Tue, May 12, 2009 at 9:17 AM, <covener@apache.org> wrote:
Author: covener
Date: Tue May 12 13:17:29 2009
New Revision: 773881

URL: http://svn.apache.org/viewvc?rev=3D773881&view=3Drev
Log:
backport 772997, 773322, 773342 from trunk.
Reviewed By: jorton, rpluem, covener

Security fix for CVE-2009-1195: fix Options handling such that
'AllowOverride Options=3DIncludesNoExec' does not permit Includes w= ith
exec=3D enabled to be configured in an .htaccess file:

* include/http_core.h: Change semantics of Includes/IncludeNoExec
=A0options bits to be additive; OPT_INCLUDES now means SSI is enabled
=A0without exec=3D. =A0OPT_INCLUDES|OPT_INC_WITH_EXEC means SSI is enabled<= br> =A0with exec=3D.

Current mod_perl tarballs reference O= PT_INC_WITH_EXEC as part of mapping the httpd API into perl, and the mod_perl build fails because of this.

("modperl_config.c", line 525: undefined symbol: OPT_INCNOEXE= C)

While I don't understand why the mod_perl mappings are create= d at release time against who knows what httpd, it brings up an interesting= httpd issue anyway.

If some module does have OPT_INCNOEXEC baked in (32), it matches what 2= .2.12+ thinks is OPT_INC_WITH_EXEC.=A0 Similarly, the old OPT_INC_WITH_EXEC= (previously called OPT_INCLUDES), maps what 2.2.12+ thinks is OPT_INCLUDES= -without-exec.

We could swap the values of OPT_INCLUDES and OPT_INC_WITH_EXEC to lesse= n the chance of some theoretical module making the wrong decision.

W= e can also define OPT_INCNOEXEC to something (either the new OPT_INCLUDES o= r "Get your mod_perl patch at XXX").

--000e0cd24d7e330de0046a1d2426--