blob: 19aaeada36cdd7bed656a9109a405b0a44a882f1 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
|
$NetBSD: patch-ab,v 1.3 2004/09/23 21:07:25 reed Exp $
http://www.apache.org/dist/httpd/patches/apply_to_2.0.51/CAN-2004-0811.patch
SECURITY: CAN-2004-0811 (cve.mitre.org)
Fix merging of the Satisfy directive, which was applied to
the surrounding context and could allow access despite configured
authentication. (a regression in 2.0.51)
Apache PR: 31315
Submitted by: Rici Lake <rici ricilake.net>
--- server/core.c 2004/08/31 08:16:56 1.225.2.27
+++ server/core.c 2004/09/21 13:21:16 1.225.2.28
@@ -351,9 +351,13 @@
/* Otherwise we simply use the base->sec_file array
*/
+ /* use a separate ->satisfy[] array either way */
+ conf->satisfy = apr_palloc(a, sizeof(*conf->satisfy) * METHODS);
for (i = 0; i < METHODS; ++i) {
if (new->satisfy[i] != SATISFY_NOSPEC) {
conf->satisfy[i] = new->satisfy[i];
+ } else {
+ conf->satisfy[i] = base->satisfy[i];
}
}
|
