Commit 554005ae authored by Cliff Woolley's avatar Cliff Woolley
Browse files

Fix a security problem which would allow an SSI document 

to be passed to the client unparsed.

Reported by:	Brian Pane


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@90668 13f79535-47bb-0310-9956-ffa450edef68
parent 12c80eba

CHANGES

+4 −0
Original line number Diff line number Diff line 
Changes with Apache 2.0.25-dev



  *) Fix a security problem in mod_include which would allow

     an SSI document to be passed to the client unparsed.

     [Cliff Woolley, Brian Pane, William Rowe]



  *) Introduce the map_to_storage hook, which allows modules to bypass

     the directory_walk and file_walk for non-file requests.  TRACE

     shortcut moved to http_protocol.c as APR_HOOK_MIDDLE, and the

modules/filters/mod_include.c

+10 −2
Original line number Diff line number Diff line
@@ -2728,10 +2728,18 @@ static apr_status_t includes_filter(ap_filter_t *f, apr_bucket_brigade *b) 
    if (!(ap_allow_options(r) & OPT_INCLUDES)) {

        return ap_pass_brigade(f->next, b);

    }

    r->allowed |= (AP_METHOD_BIT << M_GET);

    if (r->method_number != M_GET) {

        ap_allow_methods(r, REPLACE_ALLOW, "GET", "OPTIONS", NULL);

        if (r->method_number == M_OPTIONS) {

            /* it's too late to set the Allow header the "right way" */

            apr_table_setn(r->headers_out, "Allow",

                           "GET, HEAD, OPTIONS, TRACE");

            return ap_pass_brigade(f->next, b);

        }

        r->status = HTTP_METHOD_NOT_ALLOWED;

        ap_send_error_response(r, 0);

        return APR_SUCCESS;

    }



    if (!f->ctx) {

        f->ctx    = ctx      = apr_pcalloc(f->c->pool, sizeof(*ctx));