You are viewing a plain text version of this content. The canonical link for it is here.

Posted to cvs@httpd.apache.org by rp...@apache.org on 2009/05/10 12:31:36 UTC

svn commit: r773322 - /httpd/httpd/trunk/server/core.c

Author: rpluem
Date: Sun May 10 10:31:35 2009
New Revision: 773322

URL: http://svn.apache.org/viewvc?rev=773322&view=rev
Log:
* Fix for the following configuration where the exec command was disabled
  in /subdir. All CVE-2009-1195 tests still pass with this patch.

# only two containers in the config

<Directory />
Options Includes
AllowOverride None
</Directory>

<Directory /subdir>
# with this container, mod_cgi/mod_cgid complains about exec being off
# without it, exec cmd= works as expected
SetEnv foo bar
</Directory>


Modified:
    httpd/httpd/trunk/server/core.c

Modified: httpd/httpd/trunk/server/core.c
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/server/core.c?rev=773322&r1=773321&r2=773322&view=diff
==============================================================================
--- httpd/httpd/trunk/server/core.c (original)
+++ httpd/httpd/trunk/server/core.c Sun May 10 10:31:35 2009
@@ -242,8 +242,9 @@
         /* if Includes was enabled without exec in the new config, but
          * was enabled with exec in the base, then disable exec in the
          * resulting options. */
-        if ((base->opts & OPT_INC_WITH_EXEC) 
-            && (new->opts & OPT_INC_WITH_EXEC) == 0) {
+        if ((base->opts & OPT_INC_WITH_EXEC)
+            && (new->opts & OPT_INC_WITH_EXEC) == 0
+            && (new->opts & OPT_INCLUDES)) {
             conf->opts &= ~OPT_INC_WITH_EXEC;
         }
     }