angler-fishThe Vulnerability History Project

backport 772997, 773322, 773342 from trunk.

      Reviewed By: jorton, rpluem, covener

Security fix for CVE-2009-1195: fix Options handling such that
'AllowOverride Options=IncludesNoExec' does not permit Includes with
exec= enabled to be configured in an .htaccess file:

* include/http_core.h: Change semantics of Includes/IncludeNoExec
 options bits to be additive; OPT_INCLUDES now means SSI is enabled
 without exec=.  OPT_INCLUDES|OPT_INC_WITH_EXEC means SSI is enabled
 with exec=.

* server/core.c (create_core_dir_config): Remove defunct OPT_INCNOEXEC
 from default override_opts; no functional change.
 (merge_core_dir_configs): Update logic to ensure that exec= is
 disabled in a context where IncludesNoexec is configured, even if
 Includes-with-exec is permitted in the inherited options set.
 (set_allow_opts, set_options): Update to reflect new semantics
 of OPT_INCLUDES, OPT_INC_WITH_EXEC.

* server/config.c: Update to remove OPT_INCNOEXEC from default
 override_opts; no functional chang
by Ernestine the Ladybird 2009-05-12 13:17:29 UTC
commit 6471e670e676c5c3538fc5fd9caa09207d0d1db9
HTTPD Fix CVE-2009-1195
CHANGES
-6
STATUS
+10
include/http_core.h
+4 -4
modules/filters/mod_include.c
+1 -1
server/config.c
+3 -3
server/core.c
+8 -16
expand_less