You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by wr...@apache.org on 2017/09/21 18:00:49 UTC
svn commit: r21740 -
/release/httpd/patches/apply_to_2.4.27/CVE-2017-9798-patch-2.4.patch
Author: wrowe
Date: Thu Sep 21 18:00:49 2017
New Revision: 21740
Log:
For the interim, publish patch
Added:
release/httpd/patches/apply_to_2.4.27/CVE-2017-9798-patch-2.4.patch
Added: release/httpd/patches/apply_to_2.4.27/CVE-2017-9798-patch-2.4.patch
==============================================================================
--- release/httpd/patches/apply_to_2.4.27/CVE-2017-9798-patch-2.4.patch (added)
+++ release/httpd/patches/apply_to_2.4.27/CVE-2017-9798-patch-2.4.patch Thu Sep 21 18:00:49 2017
@@ -0,0 +1,27 @@
+# r1807754 (r1807655 from trunk)
+#
+# SECURITY (CVE-2017-9798)
+#
+# core: Disallow Methods' registration at run time (.htaccess), they may be
+# used only if registered at init time (httpd.conf).
+#
+# Calling ap_method_register() in children processes is not the right scope
+# since it won't be shared for all requests.
+#
+Index: server/core.c
+===================================================================
+--- server/core.c (revision 1801041)
++++ server/core.c (working copy)
+@@ -2266,6 +2266,12 @@ AP_CORE_DECLARE_NONSTD(const char *) ap_limit_sect
+ /* method has not been registered yet, but resource restriction
+ * is always checked before method handling, so register it.
+ */
++ if (cmd->pool == cmd->temp_pool) {
++ /* In .htaccess, we can't globally register new methods. */
++ return apr_psprintf(cmd->pool, "Could not register method '%s' "
++ "for %s from .htaccess configuration",
++ method, cmd->cmd->name);
++ }
+ methnum = ap_method_register(cmd->pool,
+ apr_pstrdup(cmd->pool, method));
+ }