Commit ce7bd9ec authored by Rainer Jung's avatar Rainer Jung
Browse files

Revert commit r1392042. 

It was voted as backport of r1227280 from 2.2.x,
instead applied was r1198940 from trunk, which
breaks compilation (wrong return type, non-existing
APR macro). The 2.2 revision has these fixed.

Will apply the 2.2 revision next, since the vote
was actually for that one.


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.0.x@1393578 13f79535-47bb-0310-9956-ffa450edef68
parent 002ba30d

CHANGES

+0 −4
Original line number Diff line number Diff line
@@ -11,10 +11,6 @@ Changes with Apache 2.0.65 
     could cause the parent to crash at shutdown rather than terminate 

     cleanly.  [Joe Orton]



  *) SECURITY: CVE-2011-3607 (cve.mitre.org)

     core: Fix integer overflow in ap_pregsub. This can be triggered e.g.

     with mod_setenvif via a malicious .htaccess. [Stefan Fritsch]



  *) SECURITY: CVE-2011-3368 (cve.mitre.org)

     Reject requests where the request-URI does not match the HTTP

     specification, preventing unexpected expansion of target URLs in

STATUS

+7 −0
Original line number Diff line number Diff line
@@ -129,6 +129,13 @@ RELEASE SHOWSTOPPERS: 
            More eyes welcome.

     jim: not a showstopper, imo



  *) SECURITY: CVE-2011-3607 (cve.mitre.org)

     Fix integer overflow in ap_pregsub() which, when the mod_setenvif module

     is enabled, could allow local users to gain privileges via a .htaccess

     file. [Stefan Fritsch, Greg Ames]

     From 2.2.x; http://svn.apache.org/viewvc?view=revision&revision=1227280

       +1: gregames, wrowe, trawick



  *) SECURITY: CVE-2011-4317 (cve.mitre.org)

     Resolve additional cases of URL rewriting with ProxyPassMatch or

     RewriteRule, where particular request-URIs could result in undesired

server/util.c

+0 −2
Original line number Diff line number Diff line
@@ -410,8 +410,6 @@ AP_DECLARE(char *) ap_pregsub(apr_pool_t *p, const char *input, 
            len++;

        }

        else if (no < nmatch && pmatch[no].rm_so < pmatch[no].rm_eo) {

            if (APR_SIZE_MAX - len <= pmatch[no].rm_eo - pmatch[no].rm_so)

                return APR_ENOMEM;

            len += pmatch[no].rm_eo - pmatch[no].rm_so;

        }