Return-Path: Delivered-To: apmail-perl-modperl-archive@www.apache.org Received: (qmail 70772 invoked from network); 22 May 2009 16:30:32 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.3) by minotaur.apache.org with SMTP; 22 May 2009 16:30:32 -0000 Received: (qmail 80174 invoked by uid 500); 22 May 2009 16:30:39 -0000 Delivered-To: apmail-perl-modperl-archive@perl.apache.org Received: (qmail 80094 invoked by uid 500); 22 May 2009 16:30:39 -0000 Mailing-List: contact modperl-help@perl.apache.org; run by ezmlm Precedence: bulk list-help: list-unsubscribe: List-Post: List-Id: Delivered-To: mailing list modperl@perl.apache.org Received: (qmail 80060 invoked by uid 99); 22 May 2009 16:30:39 -0000 Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 22 May 2009 16:30:39 +0000 X-ASF-Spam-Status: No, hits=-4.0 required=10.0 tests=RCVD_IN_DNSWL_MED,SPF_HELO_PASS,SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (nike.apache.org: domain of jorton@redhat.com designates 66.187.237.31 as permitted sender) Received: from [66.187.237.31] (HELO mx2.redhat.com) (66.187.237.31) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 22 May 2009 16:30:29 +0000 Received: from int-mx2.corp.redhat.com (int-mx2.corp.redhat.com [172.16.27.26]) by mx2.redhat.com (8.13.8/8.13.8) with ESMTP id n4MGU6Dr027603; Fri, 22 May 2009 12:30:06 -0400 Received: from ns3.rdu.redhat.com (ns3.rdu.redhat.com [10.11.255.199]) by int-mx2.corp.redhat.com (8.13.1/8.13.1) with ESMTP id n4MGU6Ki031875; Fri, 22 May 2009 12:30:06 -0400 Received: from turnip.manyfish.co.uk (vpn-12-71.rdu.redhat.com [10.11.12.71]) by ns3.rdu.redhat.com (8.13.8/8.13.8) with ESMTP id n4MGU5tf021990; Fri, 22 May 2009 12:30:05 -0400 Received: from jorton by turnip.manyfish.co.uk with local (Exim 4.69) (envelope-from ) id 1M7XbF-0000QC-9k; Fri, 22 May 2009 17:28:01 +0100 Date: Fri, 22 May 2009 17:28:01 +0100 From: Joe Orton To: Jeff Trawick , dev@httpd.apache.org, modperl@perl.apache.org Subject: Re: svn commit: r773881 - in /httpd/httpd/branches/2.2.x: CHANGES STATUS include/http_core.h modules/filters/mod_include.c server/config.c server/core.c Message-ID: <20090522162801.GA1616@redhat.com> Mail-Followup-To: Jeff Trawick , dev@httpd.apache.org, modperl@perl.apache.org References: <20090512131730.1F03F2388842@eris.apache.org> <20090520125319.GB2601@redhat.com> <20090522162607.GA26770@redhat.com> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="sm4nu43k4a2Rpi4c" Content-Disposition: inline In-Reply-To: <20090522162607.GA26770@redhat.com> User-Agent: Mutt/1.5.18 (2008-05-17) Organization: Red Hat UK Ltd, Amberley Place, 107-111 Peascod Street, Windsor, Berkshire, SL4 1TE, United Kingdom. Registered in UK and Wales under Company Registration No. 03798903 Directors: Michael Cunningham (USA), Brendan Lane (Ireland), Matt Parson (USA), Charlie Peters (USA) X-Scanned-By: MIMEDefang 2.58 on 172.16.27.26 X-Virus-Checked: Checked by ClamAV on apache.org --sm4nu43k4a2Rpi4c Content-Type: text/plain; charset=utf-8 Content-Disposition: inline On Fri, May 22, 2009 at 05:26:07PM +0100, Joe Orton wrote: > Attaching my original analysis for security@ which hopefully answers > that question ;) attempt 2 --sm4nu43k4a2Rpi4c Content-Type: text/plain; charset=utf-8 Content-Disposition: attachment; filename="ssi.foo" I've now had a deeper look into this. I can't see a way to fix the problem without changing the semantics of the OPT_ bits used, as I mentioned briefly in my comment to Vincent. Status quo: a) OPT_INCLUDES is interpreted as "SSI is allowed with exec=" b) OPT_INCNOEXEC is interperted iff OPT_INCLUDES is also set as meaning "SSI is allowed but exec= is not" c) setting "AllowOverride Options=IncludesNoExec" results in both OPT_INCLUDES and OPT_INCNOEXEC being set in the ->override_opts bitmask, i.e. either or both options can be overridden in .htaccess files >From this leads the fact that an .htaccess file can set simply "Options Includes" in a context which inherits "AllowOverride Options=IncludesNoExec". I'm presuming nobody will argue that's a feature not a bug? If so, I think this is the set of constraints which need to be satisfied: 1) the result of a config merge with only "Options IncludesNoEXEC" specified must not allow use of exec= in SSI 2) if "AllowOverride Options=" is used without "Includes", notably, use of "AllowOverride Options=IncludesNoExec", use of "Options Includes" in an .htaccess file must be an error 3) if "AllowOverride Options=Includes" is set, use of both "Options Includes" and "Options IncludesNoExec" must succeed and enable SSI with or without exec= respectively 4) if permitted by AllowOverride, setting "Options Includes" in a context from which "Options IncludesNoExec" is inherited, then the result must be one where exec= is allowed. Attached is a patch which passes the tests I have so far - Vincent, can you easily re-run your tests used to produce that lovely matrix, with this applied? Regards, Joe --sm4nu43k4a2Rpi4c--