You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@httpd.apache.org by Joe Orton <jo...@redhat.com> on 2009/05/08 16:45:42 UTC
Re: Includes vs IncludesNoExec security issue - help needed
On Tue, Apr 28, 2009 at 02:48:52PM +0100, Joe Orton wrote:
> 5) I'll post an updated patch soon which fixes the behaviour of "Options
> Includes"/"Options +IncludesNoExec" such that SSI is permitted without
> exec, as is the current 2.2.x behaviour, since that seems to be the
> rough consensus. Jon also spotted a minor logic flaw in the patch which
> I'll fix too.
Rather than posting another round, I've committed the updated patch
which includes those changes:
http://svn.apache.org/viewvc?rev=772997&view=rev
Along with a test suite:
http://svn.apache.org/viewvc?rev=773001&view=rev
For reference, this issue has been assigned CVE name CVE-2009-1195.
Thanks a lot to everybody who has helped out with this issue.
Regards, Joe