File httpd-2.2.3-CVE-2009-1195.patch of Package apache2
Index: include/http_core.h
===================================================================
--- include/http_core.h.orig 2006-07-12 05:38:44.000000000 +0200
+++ include/http_core.h 2009-07-20 04:56:09.000000000 +0200
@@ -73,14 +73,14 @@ extern "C" {
#define OPT_EXECCGI 8
/** directive unset */
#define OPT_UNSET 16
-/** IncludesNOEXEC directive */
-#define OPT_INCNOEXEC 32
+/** SSI exec= permission is permitted, iff OPT_INCLUDES is also set */
+#define OPT_INC_WITH_EXEC 32
/** SymLinksIfOwnerMatch directive */
#define OPT_SYM_OWNER 64
/** MultiViews directive */
#define OPT_MULTI 128
/** All directives */
-#define OPT_ALL (OPT_INDEXES|OPT_INCLUDES|OPT_SYM_LINKS|OPT_EXECCGI)
+#define OPT_ALL (OPT_INDEXES|OPT_INCLUDES|OPT_INC_WITH_EXEC|OPT_SYM_LINKS|OPT_EXECCGI)
/** @} */
/**
Index: modules/filters/mod_include.c
===================================================================
--- modules/filters/mod_include.c.orig 2006-07-12 05:38:44.000000000 +0200
+++ modules/filters/mod_include.c 2009-07-20 04:57:28.000000000 +0200
@@ -3524,7 +3524,7 @@ static apr_status_t includes_filter(ap_f
intern->seen_eos = 0;
intern->state = PARSE_PRE_HEAD;
ctx->flags = (SSI_FLAG_PRINTING | SSI_FLAG_COND_TRUE);
- if (ap_allow_options(r) & OPT_INCNOEXEC) {
+ if ((ap_allow_options(r) & OPT_INC_WITH_EXEC) == 0) {
ctx->flags |= SSI_FLAG_NO_EXEC;
}
Index: server/core.c
===================================================================
--- server/core.c.orig 2006-07-24 15:34:19.000000000 +0200
+++ server/core.c 2009-07-20 05:09:04.000000000 +0200
@@ -108,8 +108,7 @@ static void *create_core_dir_config(apr_
conf->opts = dir ? OPT_UNSET : OPT_UNSET|OPT_ALL;
conf->opts_add = conf->opts_remove = OPT_NONE;
conf->override = dir ? OR_UNSET : OR_UNSET|OR_ALL;
- conf->override_opts = OPT_UNSET | OPT_ALL | OPT_INCNOEXEC | OPT_SYM_OWNER
- | OPT_MULTI;
+ conf->override_opts = OPT_UNSET | OPT_ALL | OPT_SYM_OWNER | OPT_MULTI;
conf->content_md5 = 2;
conf->accept_path_info = 3;
@@ -243,8 +242,15 @@ static void *merge_core_dir_configs(apr_
conf->opts_remove = (conf->opts_remove & ~new->opts_add)
| new->opts_remove;
conf->opts = (conf->opts & ~conf->opts_remove) | conf->opts_add;
- if ((base->opts & OPT_INCNOEXEC) && (new->opts & OPT_INCLUDES)) {
- conf->opts = (conf->opts & ~OPT_INCNOEXEC) | OPT_INCLUDES;
+
+ /* If Includes was enabled with exec in the base config, but
+ * was enabled without exec in the new config, then disable
+ * exec in the merged set. */
+ if (((base->opts & (OPT_INCLUDES|OPT_INC_WITH_EXEC))
+ == (OPT_INCLUDES|OPT_INC_WITH_EXEC))
+ && ((new->opts & (OPT_INCLUDES|OPT_INC_WITH_EXEC))
+ == OPT_INCLUDES)) {
+ conf->opts &= ~OPT_INC_WITH_EXEC;
}
}
else {
@@ -658,7 +664,12 @@ AP_DECLARE(int) ap_allow_options(request
core_dir_config *conf =
(core_dir_config *)ap_get_module_config(r->per_dir_config, &core_module);
- return conf->opts;
+ /* Per comment in http_core.h - the OPT_INC_WITH_EXEC bit is
+ * inverted, such that the exposed semantics match that of
+ * OPT_INCNOEXEC; i.e., the bit is only enabled if exec= is *not*
+ * permitted. */
+ return conf->opts ^ OPT_INC_WITH_EXEC;
+
}
AP_DECLARE(int) ap_allow_overrides(request_rec *r)
@@ -1304,10 +1315,13 @@ static const char *set_allow_opts(cmd_pa
opt = OPT_INDEXES;
}
else if (!strcasecmp(w, "Includes")) {
- opt = OPT_INCLUDES;
+ /* If Includes is permitted, both Includes and
+ * IncludesNOEXEC may be changed. */
+ opt = (OPT_INCLUDES | OPT_INC_WITH_EXEC);
+
}
else if (!strcasecmp(w, "IncludesNOEXEC")) {
- opt = (OPT_INCLUDES | OPT_INCNOEXEC);
+ opt = OPT_INCLUDES;
}
else if (!strcasecmp(w, "FollowSymLinks")) {
opt = OPT_SYM_LINKS;
@@ -1428,10 +1442,10 @@ static const char *set_options(cmd_parms
opt = OPT_INDEXES;
}
else if (!strcasecmp(w, "Includes")) {
- opt = OPT_INCLUDES;
+ opt = (OPT_INCLUDES | OPT_INC_WITH_EXEC);
}
else if (!strcasecmp(w, "IncludesNOEXEC")) {
- opt = (OPT_INCLUDES | OPT_INCNOEXEC);
+ opt = OPT_INCLUDES;
}
else if (!strcasecmp(w, "FollowSymLinks")) {
opt = OPT_SYM_LINKS;
Index: server/config.c
===================================================================
--- server/config.c.orig 2006-07-24 15:34:19.000000000 +0200
+++ server/config.c 2009-07-20 05:02:28.000000000 +0200
@@ -1492,7 +1492,7 @@ static const char *process_command_confi
parms.temp_pool = ptemp;
parms.server = s;
parms.override = (RSRC_CONF | OR_ALL) & ~(OR_AUTHCFG | OR_LIMIT);
- parms.override_opts = OPT_ALL | OPT_INCNOEXEC | OPT_SYM_OWNER | OPT_MULTI;
+ parms.override_opts = OPT_ALL | OPT_SYM_OWNER | OPT_MULTI;
parms.config_file = ap_pcfg_open_custom(p, "-c/-C directives",
&arr_parms, NULL,
@@ -1599,7 +1599,7 @@ static const char *process_resource_conf
parms.temp_pool = ptemp;
parms.server = s;
parms.override = (RSRC_CONF | OR_ALL) & ~(OR_AUTHCFG | OR_LIMIT);
- parms.override_opts = OPT_ALL | OPT_INCNOEXEC | OPT_SYM_OWNER | OPT_MULTI;
+ parms.override_opts = OPT_ALL | OPT_SYM_OWNER | OPT_MULTI;
rv = ap_pcfg_openfile(&cfp, p, fname);
if (rv != APR_SUCCESS) {
@@ -1737,7 +1737,7 @@ AP_DECLARE(int) ap_process_config_tree(s
parms.temp_pool = ptemp;
parms.server = s;
parms.override = (RSRC_CONF | OR_ALL) & ~(OR_AUTHCFG | OR_LIMIT);
- parms.override_opts = OPT_ALL | OPT_INCNOEXEC | OPT_SYM_OWNER | OPT_MULTI;
+ parms.override_opts = OPT_ALL | OPT_SYM_OWNER | OPT_MULTI;
parms.limited = -1;
errmsg = ap_walk_config(conftree, &parms, s->lookup_defaults);
