You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@httpd.apache.org by Jeff Trawick <tr...@gmail.com> on 2009/05/22 23:43:00 UTC

Re: [concept PATCH] CVE-2009-1195 tweaks to provide binary compatibility for stable branches

On Fri, May 22, 2009 at 5:12 PM, Jeff Trawick <tr...@gmail.com> wrote:

> (untested)


These references to OPT_ALL should be OPT_PVT_ALL.

./server/config.c:    parms.override_opts = OPT_ALL | OPT_SYM_OWNER |
OPT_MULTI;
./server/config.c:    parms.override_opts = OPT_ALL | OPT_SYM_OWNER |
OPT_MULTI;
./server/config.c:    parms.override_opts = OPT_ALL | OPT_SYM_OWNER |
OPT_MULTI;
./server/core.c:    conf->opts = dir ? OPT_UNSET : OPT_UNSET|OPT_ALL;
./server/core.c:    conf->override_opts = OPT_UNSET | OPT_ALL |
OPT_SYM_OWNER | OPT_MULTI;
./server/core.c:            opt = OPT_ALL;
./server/core.c:                d->override_opts = OPT_ALL;
./server/core.c:            opt = OPT_ALL;

Taking it slowly...

Change all occurrences of OPT_INCLUDES, OPT_INC_WITH_EXEC, and OPT_ALL to
OPT_PVT_versions of same.

Move OPT_PVT_ definitions inside CORE_PRIVATE.

Provide old OPT_INCLUDES, OPT_INCNOEXEC, and OPT_ALL outside of CORE_PRIVATE
for callers of ap_allow_options() to use.

Revert the change to mod_include so that it uses the old flags when checking
the result of ap_allow_options().

The old flags are available at compile time and will be returned from
ap_allow_options().