You are viewing a plain text version of this content. The canonical link for it is here.
Posted to apache-bugdb@apache.org by Taketo Kabe <ka...@sra-tohoku.co.jp> on 2001/11/19 19:41:18 UTC

mod_include/8804: [PATCH] XBitHack behaves as always "on"

>Number:         8804
>Category:       mod_include
>Synopsis:       [PATCH] XBitHack behaves as always "on"
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    apache
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   apache
>Arrival-Date:   Mon Nov 19 10:50:00 PST 2001
>Closed-Date:
>Last-Modified:
>Originator:     kabe@sra-tohoku.co.jp
>Release:        2.0.28
>Organization:
apache
>Environment:

SunOS 5.8 Generic_108528-05 sun4u sparc SUNW,Ultra-60
gcc version 2.95.2 19991024 (release)

>Description:

XBitHack behaved as always "on" regardess of any settings.

This will cause any HTML files accidentally chmod +x 'ed to be
processed through INCLUDES filter (if Options +Includes in effect).

This seems to be caused by modules/filters/mod_include.c:xbithack_handler()
incorrectly extracting the module config structure.
The [PATCH] below fixes the reference into "standard" method.

>How-To-Repeat:

.htaccess:
	Options +Includes
	XBitHack off

test.html:
	<BODY>
	<!--#exec cmd="ls"-->
	</BODY>

$ chmod +x test.html

$ GET http://www/~your/dir/test.html

You shouldn't have SSI invoked but actually is (BAD).

>Fix:

#********************************* mod_include.c XBitHack always full patch
##dist11
# Fix:
#	XBitHack behaved as always "full"
#
##find httpd-2_0_28 -name '*.dist11' -exec ./0diff {} \;
/usr/local/gnu/bin/patch -p1 --backup --suffix=.dist11 << 'EOP'
=============================== {
diff -u httpd-2_0_28/modules/filters/mod_include.c.dist11 httpd-2_0_28/modules/filters/mod_include.c
--- httpd-2_0_28/modules/filters/mod_include.c.dist11	Wed Sep 19 06:25:07 2001
+++ httpd-2_0_28/modules/filters/mod_include.c	Mon Nov 19 18:16:45 2001
@@ -3167,7 +3167,7 @@
     /* OS/2 dosen't currently support the xbithack. This is being worked on. */
     return DECLINED;
 #else
-    enum xbithack *state;
+    include_dir_config *conf;
  
     if (ap_strcmp_match(r->handler, "text/html")) {
         return DECLINED;
@@ -3176,10 +3176,10 @@
         return DECLINED;
     }
  
-    state = (enum xbithack *) ap_get_module_config(r->per_dir_config,
+    conf = (include_dir_config *) ap_get_module_config(r->per_dir_config,
                                                 &include_module);
  
-    if (*state == xbithack_off) {
+    if (*conf->xbithack == xbithack_off) {
         return DECLINED;
     }
     /* We always return declined, because the default handler will actually
=============================== }}
EOP

>Release-Note:
>Audit-Trail:
>Unformatted:
 [In order for any reply to be added to the PR database, you need]
 [to include <ap...@Apache.Org> in the Cc line and make sure the]
 [subject line starts with the report component and number, with ]
 [or without any 'Re:' prefixes (such as "general/1098:" or      ]
 ["Re: general/1098:").  If the subject doesn't match this       ]
 [pattern, your message will be misfiled and ignored.  The       ]
 ["apbugs" address is not added to the Cc line of messages from  ]
 [the database automatically because of the potential for mail   ]
 [loops.  If you do not include this Cc, your reply may be ig-   ]
 [nored unless you are responding to an explicit request from a  ]
 [developer.  Reply only with text; DO NOT SEND ATTACHMENTS!     ]