httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Joe Orton <jor...@redhat.com>
Subject Re: mod_perl test failure with CVE-2009-1195 fix in 2.2.12
Date Mon, 01 Jun 2009 20:22:10 GMT
On Mon, Jun 01, 2009 at 10:22:45AM -0700, Jeff Trawick wrote:
> On Mon, Jun 1, 2009 at 7:30 AM, Stefan Fritsch <sf@sfritsch.de> wrote:
> > The interesting test file in mod_perls source is ./t/response/TestAPI/
> > add_config.pm.
> >
> > It looks like the test sets "Options ExecCGI" and expects $r->allow_options
> > to be 8 (Apache2::Const::OPT_EXECCGI), but the actual value is 40
> > (Apache2::Const::OPT_EXECCGI|Apache2::Const::OPT_INCNOEXEC).
> 
> Gosh we su^H^H^H^H...  Thanks so much!  The simple flipping of that bit in
> ap_allow_options() is incorrect; it needs to do so only if OPT_INCLUDES is
> turned on.

I did think about this when writing the patch, but I presumed it would 
not matter.  It's not obviously incorrect to say that IncNoExec is 
"enabled" in such a configuration.  It's not obviously correct that 
mod_perl should dictate that no other bits are set in that such a 
configuration, even if that has been the case historically.

> This patch works for me; please try it with the Perl suite.

Nevertheless, +1 for 2.2.x

Regards, Joe

Mime
View raw message