Commit 75f96d53 authored by Geoffrey Young's avatar Geoffrey Young
Browse files

SECURITY: CAN-2004-0811 (cve.mitre.org) 

Fix merging of the Satisfy directive, which was applied to
the surrounding context and could allow access despite configured
authentication.
PR: 31315
Submitted by:	Rici Lake <rici ricilake.net>
Reviewed by:	jorton, nd, pquerna, geoff


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/APACHE_2_0_BRANCH@105227 13f79535-47bb-0310-9956-ffa450edef68
parent 704de88b

CHANGES

+5 −0
Original line number Diff line number Diff line 
Changes with Apache 2.0.52













  *) SECURITY: CAN-2004-0811 (cve.mitre.org)













     Fix merging of the Satisfy directive, which was applied to













     the surrounding context and could allow access despite configured













     authentication.  PR 31315.  [Rici Lake <rici ricilake.net>]



























  *) Fix the handling of URIs containing %2F when AllowEncodedSlashes















     is enabled.  Previously, such urls would still be rejected.















     [Jeff Trawick, Bill Stoddard]

































STATUS



+1
−6






























Original line number
Diff line number
Diff line















APACHE 2.0 STATUS:                                              -*-text-*-













Last modified at [$Date: 2004/09/21 01:36:46 $]













Last modified at [$Date: 2004/09/21 13:21:13 $]































Release:


























@@ -74,11 +74,6 @@ PATCHES TO BACKPORT FROM 2.1













  [ please place file names and revisions from HEAD here, so it is easy to















    identify exactly what the proposed changes are! ]





























    *) Fix Satisfy merging regression in 2.0.51.













       http://cvs.apache.org/viewcvs.cgi/httpd-2.0/server/core.c?r1=1.285&r2=1.286    













       PR: 31315













       +1: jorton, nd, pquerna, geoff





























    *) Fix the global mutex crash when the global mutex is never allocated















       due to disabled/empty caches.















         modules/ldap/util_ldap.c: 1.13

































server/core.c



+4
−0






























Original line number
Diff line number
Diff line








@@ -351,9 +351,13 @@ static void *merge_core_dir_configs(apr_pool_t *a, void *basev, void *newv)













    /* Otherwise we simply use the base->sec_file array















     */





























    /* use a separate ->satisfy[] array either way */













    conf->satisfy = apr_palloc(a, sizeof(*conf->satisfy) * METHODS);















    for (i = 0; i < METHODS; ++i) {















        if (new->satisfy[i] != SATISFY_NOSPEC) {















            conf->satisfy[i] = new->satisfy[i];













        } else {













            conf->satisfy[i] = base->satisfy[i];















        }















    }