Security fix for CVE-2009-1195: fix Options handling such that
'AllowOverride Options=IncludesNoExec' does not permit Includes with exec= enabled to be configured in an .htaccess file: * include/http_core.h: Change semantics of Includes/IncludeNoExec options bits to be additive; OPT_INCLUDES now means SSI is enabled without exec=. OPT_INCLUDES|OPT_INC_WITH_EXEC means SSI is enabled with exec=. * server/core.c (create_core_dir_config): Remove defunct OPT_INCNOEXEC from default override_opts; no functional change. (merge_core_dir_configs): Update logic to ensure that exec= is disabled in a context where IncludesNoexec is configured, even if Includes-with-exec is permitted in the inherited options set. (set_allow_opts, set_options): Update to reflect new semantics of OPT_INCLUDES, OPT_INC_WITH_EXEC. * server/config.c: Update to remove OPT_INCNOEXEC from default override_opts; no functional change. * modules/filters/mod_include.c (includes_filter): Update to reflect new options sema...
parent
fbb27019
Please register or sign in to comment