File apache2-CVE-2023-38709.patch of Package apache2.34771

Index: httpd-2.4.23/modules/http/http_filters.c
===================================================================
--- httpd-2.4.23.orig/modules/http/http_filters.c
+++ httpd-2.4.23/modules/http/http_filters.c
@@ -1355,6 +1357,7 @@ AP_CORE_DECLARE_NONSTD(apr_status_t) ap_
     if (!apr_is_empty_table(r->err_headers_out)) {
         r->headers_out = apr_table_overlay(r->pool, r->err_headers_out,
                                            r->headers_out);
+        apr_table_clear(r->err_headers_out);
     }
 
     if (!check_headers(r)) {
@@ -1379,6 +1382,17 @@ AP_CORE_DECLARE_NONSTD(apr_status_t) ap_
         fixup_vary(r);
     }
 
+
+    /*
+     * Control cachability for non-cacheable responses if not already set by
+     * some other part of the server configuration.
+     */
+    if (r->no_cache && !apr_table_get(r->headers_out, "Expires")) {
+        char *date = apr_palloc(r->pool, APR_RFC822_DATE_LEN);
+        ap_recent_rfc822_date(date, r->request_time);
+        apr_table_addn(r->headers_out, "Expires", date);
+    }
+
     /*
      * Now remove any ETag response header field if earlier processing
      * says so (such as a 'FileETag None' directive).
@@ -1426,16 +1440,6 @@ AP_CORE_DECLARE_NONSTD(apr_status_t) ap_
         apr_table_setn(r->headers_out, "Content-Language", field);
     }
 
-    /*
-     * Control cachability for non-cachable responses if not already set by
-     * some other part of the server configuration.
-     */
-    if (r->no_cache && !apr_table_get(r->headers_out, "Expires")) {
-        char *date = apr_palloc(r->pool, APR_RFC822_DATE_LEN);
-        ap_recent_rfc822_date(date, r->request_time);
-        apr_table_addn(r->headers_out, "Expires", date);
-    }
-
     /* This is a hack, but I can't find anyway around it.  The idea is that
      * we don't want to send out 0 Content-Lengths if it is a head request.
      * This happens when modules try to outsmart the server, and return