blob: 5ca3b8b1c64faccd2f3dd3ebd156fcf5d1a4b4ee (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
|
$NetBSD: patch-ba,v 1.1.2.3 2009/06/12 21:38:06 spz Exp $
Patch for CVE-2009-1195 taken from:
http://svn.apache.org/viewvc?view=rev&revision=773881
http://svn.apache.org/viewvc?view=rev&revision=779472
--- include/http_core.h.orig 2008-02-26 19:47:51.000000000 +0000
+++ include/http_core.h 2009-06-11 20:53:26.000000000 +0100
@@ -65,7 +65,7 @@
#define OPT_NONE 0
/** Indexes directive */
#define OPT_INDEXES 1
-/** Includes directive */
+/** SSI is enabled without exec= permission */
#define OPT_INCLUDES 2
/** FollowSymLinks directive */
#define OPT_SYM_LINKS 4
@@ -80,9 +80,22 @@
/** MultiViews directive */
#define OPT_MULTI 128
/** All directives */
-#define OPT_ALL (OPT_INDEXES|OPT_INCLUDES|OPT_SYM_LINKS|OPT_EXECCGI)
+#define OPT_ALL (OPT_INDEXES|OPT_INCLUDES|OPT_INCNOEXEC|OPT_SYM_LINKS|OPT_EXECCGI)
/** @} */
+#ifdef CORE_PRIVATE
+/* For internal use only - since 2.2.12, the OPT_INCNOEXEC bit is
+ * internally replaced by OPT_INC_WITH_EXEC. The internal semantics
+ * of the two SSI-related bits are hence:
+ *
+ * OPT_INCLUDES => "enable SSI, without exec= permission"
+ * OPT_INC_WITH_EXEC => "iff OPT_INCLUDES is set, also enable exec="
+ *
+ * The set of options exposed via ap_allow_options() retains the
+ * semantics of OPT_INCNOEXEC by flipping the bit. */
+#define OPT_INC_WITH_EXEC OPT_INCNOEXEC
+#endif
+
/**
* @defgroup get_remote_host Remote Host Resolution
* @ingroup APACHE_CORE_HTTPD
|