You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@httpd.apache.org by Joe Orton <jo...@redhat.com> on 2009/05/08 16:45:42 UTC

Re: Includes vs IncludesNoExec security issue - help needed

On Tue, Apr 28, 2009 at 02:48:52PM +0100, Joe Orton wrote:
> 5) I'll post an updated patch soon which fixes the behaviour of "Options 
> Includes"/"Options +IncludesNoExec" such that SSI is permitted without 
> exec, as is the current 2.2.x behaviour, since that seems to be the 
> rough consensus.  Jon also spotted a minor logic flaw in the patch which 
> I'll fix too.

Rather than posting another round, I've committed the updated patch 
which includes those changes:

   http://svn.apache.org/viewvc?rev=772997&view=rev

Along with a test suite:

   http://svn.apache.org/viewvc?rev=773001&view=rev

For reference, this issue has been assigned CVE name CVE-2009-1195.

Thanks a lot to everybody who has helped out with this issue.

Regards, Joe