httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Stefan Fritsch ...@sfritsch.de>
Subject mod_perl test failure with CVE-2009-1195 fix in 2.2.12
Date Mon, 01 Jun 2009 14:30:43 GMT
Hi,

when backporting the CVE-2009-1195 fix in r773881+r779472 from 
branches/2.2.x to 2.2.9, I noticed that it causes a test failure when 
compiling mod_perl 2.0.4. Since I am neither familiar with mod_perl nor 
with the mod_include internals, maybe someone else can check if this is a 
necessary breakage or if the fix can be adjusted to be more backward 
compatible.

The test output:
================
t/api/add_config........................# connecting to 
http://localhost:8560/TestAPI__add_config/
1..9
# Running under perl version 5.010000 for linux
# Current time local: Mon Jun  1 15:56:35 2009
# Current time GMT:   Mon Jun  1 13:56:35 2009
# Using Test.pm version 1.25
# Using Apache/Test.pm version 1.31

...

# expected: 8
# received: 40
not ok 7

...

FAILED test 7
         Failed 1/9 tests, 88.89% okay
=============

The interesting test file in mod_perls source is 
./t/response/TestAPI/add_config.pm.

It looks like the test sets "Options ExecCGI" and expects 
$r->allow_options to be 8 (Apache2::Const::OPT_EXECCGI), but the actual 
value is 40 (Apache2::Const::OPT_EXECCGI|Apache2::Const::OPT_INCNOEXEC).

Cheers,
Stefan

Mime
View raw message