Skip to content
  1. May 08, 2009
    • Joe Orton's avatar
      Security fix for CVE-2009-1195: fix Options handling such that · 701b5288
      Joe Orton authored
      'AllowOverride Options=IncludesNoExec' does not permit Includes with
      exec= enabled to be configured in an .htaccess file:
      
      * include/http_core.h: Change semantics of Includes/IncludeNoExec
        options bits to be additive; OPT_INCLUDES now means SSI is enabled
        without exec=.  OPT_INCLUDES|OPT_INC_WITH_EXEC means SSI is enabled
        with exec=.
      
      * server/core.c (create_core_dir_config): Remove defunct OPT_INCNOEXEC
        from default override_opts; no functional change.
        (merge_core_dir_configs): Update logic to ensure that exec= is
        disabled in a context where IncludesNoexec is configured, even if
        Includes-with-exec is permitted in the inherited options set.
        (set_allow_opts, set_options): Update to reflect new semantics
        of OPT_INCLUDES, OPT_INC_WITH_EXEC.
      
      * server/config.c: Update to remove OPT_INCNOEXEC from default 
        override_opts; no functional change.
      
      * modules/filters/mod_include.c (includes_filter): Update to reflect
        new options semantics - disable exec= support if the
        OPT_INC_WITH_EXEC bit is not set.
      
      Submitted by: Jonathan Peatfield <j.s.peatfield damtp.cam.ac.uk>,
                jorton
      Thanks to: Vincent Danon <vdanon redhat.com>
      
      
      git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@772997 13f79535-47bb-0310-9956-ffa450edef68
      701b5288
    • William A. Rowe Jr's avatar
      Add . 'default' test first before searching paths, to determine if the · fbb27019
      William A. Rowe Jr authored
      lua.h, liblua5.1, liblua-5.1 or liblua can be resolved.  This avoids
      adding strange paths on fedora/redhat, and choosing the wrong /lib[64]
      flavor.
      
      Also ensure -lm is always added to the actual linked libraries, avoiding
      a LoadModule failure on fedora/redhat.  Still should first try to search 
      for pkg-config lua settings, but note this would break fedora until that
      build hackery is corrected, c.f. the bug
      https://bugzilla.redhat.com/show_bug.cgi?id=499238
      
      
      
      git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@772864 13f79535-47bb-0310-9956-ffa450edef68
      fbb27019
    • William A. Rowe Jr's avatar
      Here's the simpler solution to the two groups of mappers/ modules... · f40e11f5
      William A. Rowe Jr authored
      The mod_so and mod_watchdog are truly not mappers/ at all.  Very open
      to better names than modules/core/ but these are clearly API's which
      are to be consumed by the httpd core, or generically, any module.
      
      
      git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@772848 13f79535-47bb-0310-9956-ffa450edef68
      f40e11f5
  2. May 07, 2009
  3. May 06, 2009
  4. May 05, 2009
  5. May 04, 2009
  6. May 03, 2009