| Log Message: |
Security fix for CVE-2009-1195: fix Options handling such that
'AllowOverride Options=IncludesNoExec' does not permit Includes with
exec= enabled to be configured in an .htaccess file:
* include/http_core.h: Change semantics of Includes/IncludeNoExec
options bits to be additive; OPT_INCLUDES now means SSI is enabled
without exec=. OPT_INCLUDES|OPT_INC_WITH_EXEC means SSI is enabled
with exec=.
* server/core.c (create_core_dir_config): Remove defunct OPT_INCNOEXEC
from default override_opts; no functional change.
(merge_core_dir_configs): Update logic to ensure that exec= is
disabled in a context where IncludesNoexec is configured, even if
Includes-with-exec is permitted in the inherited options set.
(set_allow_opts, set_options): Update to reflect new semantics
of OPT_INCLUDES, OPT_INC_WITH_EXEC.
* server/config.c: Update to remove OPT_INCNOEXEC from default
override_opts; no functional change.
* modules/filters/mod_include.c (includes_filter): Update to reflect
new options semantics - disable exec= support if the
OPT_INC_WITH_EXEC bit is not set.
Submitted by: Jonathan Peatfield <j.s.peatfield damtp.cam.ac.uk>,
jorton
Thanks to: Vincent Danon <vdanon redhat.com>
|
httpd/httpd/trunk/include/http_core.h