Property changes on: . ___________________________________________________________________ Modified: svn:mergeinfo Merged /httpd/httpd/trunk:r772997,773322,773342 Index: STATUS =================================================================== Index: server/config.c =================================================================== --- server/config.c (revision 773036) +++ server/config.c (working copy) @@ -1510,7 +1510,7 @@ parms.temp_pool = ptemp; parms.server = s; parms.override = (RSRC_CONF | OR_ALL) & ~(OR_AUTHCFG | OR_LIMIT); - parms.override_opts = OPT_ALL | OPT_INCNOEXEC | OPT_SYM_OWNER | OPT_MULTI; + parms.override_opts = OPT_ALL | OPT_SYM_OWNER | OPT_MULTI; parms.config_file = ap_pcfg_open_custom(p, "-c/-C directives", &arr_parms, NULL, @@ -1617,7 +1617,7 @@ parms.temp_pool = ptemp; parms.server = s; parms.override = (RSRC_CONF | OR_ALL) & ~(OR_AUTHCFG | OR_LIMIT); - parms.override_opts = OPT_ALL | OPT_INCNOEXEC | OPT_SYM_OWNER | OPT_MULTI; + parms.override_opts = OPT_ALL | OPT_SYM_OWNER | OPT_MULTI; rv = ap_pcfg_openfile(&cfp, p, fname); if (rv != APR_SUCCESS) { @@ -1755,7 +1755,7 @@ parms.temp_pool = ptemp; parms.server = s; parms.override = (RSRC_CONF | OR_ALL) & ~(OR_AUTHCFG | OR_LIMIT); - parms.override_opts = OPT_ALL | OPT_INCNOEXEC | OPT_SYM_OWNER | OPT_MULTI; + parms.override_opts = OPT_ALL | OPT_SYM_OWNER | OPT_MULTI; parms.limited = -1; errmsg = ap_walk_config(conftree, &parms, s->lookup_defaults); Index: server/core.c =================================================================== --- server/core.c (revision 773036) +++ server/core.c (working copy) @@ -108,8 +108,7 @@ conf->opts = dir ? OPT_UNSET : OPT_UNSET|OPT_ALL; conf->opts_add = conf->opts_remove = OPT_NONE; conf->override = dir ? OR_UNSET : OR_UNSET|OR_ALL; - conf->override_opts = OPT_UNSET | OPT_ALL | OPT_INCNOEXEC | OPT_SYM_OWNER - | OPT_MULTI; + conf->override_opts = OPT_UNSET | OPT_ALL | OPT_SYM_OWNER | OPT_MULTI; conf->content_md5 = 2; conf->accept_path_info = 3; @@ -242,8 +241,15 @@ conf->opts_remove = (conf->opts_remove & ~new->opts_add) | new->opts_remove; conf->opts = (conf->opts & ~conf->opts_remove) | conf->opts_add; - if ((base->opts & OPT_INCNOEXEC) && (new->opts & OPT_INCLUDES)) { - conf->opts = (conf->opts & ~OPT_INCNOEXEC) | OPT_INCLUDES; + + /* If Includes was enabled with exec in the base config, but + * was enabled without exec in the new config, then disable + * exec in the merged set. */ + if (((base->opts & (OPT_INCLUDES|OPT_INC_WITH_EXEC)) + == (OPT_INCLUDES|OPT_INC_WITH_EXEC)) + && ((new->opts & (OPT_INCLUDES|OPT_INC_WITH_EXEC)) + == OPT_INCLUDES)) { + conf->opts &= ~OPT_INC_WITH_EXEC; } } else { @@ -1304,10 +1310,12 @@ opt = OPT_INDEXES; } else if (!strcasecmp(w, "Includes")) { - opt = OPT_INCLUDES; + /* If Includes is permitted, both Includes and + * IncludesNOEXEC may be changed. */ + opt = (OPT_INCLUDES | OPT_INC_WITH_EXEC); } else if (!strcasecmp(w, "IncludesNOEXEC")) { - opt = (OPT_INCLUDES | OPT_INCNOEXEC); + opt = OPT_INCLUDES; } else if (!strcasecmp(w, "FollowSymLinks")) { opt = OPT_SYM_LINKS; @@ -1428,10 +1436,10 @@ opt = OPT_INDEXES; } else if (!strcasecmp(w, "Includes")) { - opt = OPT_INCLUDES; + opt = (OPT_INCLUDES | OPT_INC_WITH_EXEC); } else if (!strcasecmp(w, "IncludesNOEXEC")) { - opt = (OPT_INCLUDES | OPT_INCNOEXEC); + opt = OPT_INCLUDES; } else if (!strcasecmp(w, "FollowSymLinks")) { opt = OPT_SYM_LINKS; Index: CHANGES =================================================================== --- CHANGES (revision 773036) +++ CHANGES (working copy) @@ -5,6 +5,12 @@ mod_proxy_ajp: Avoid delivering content from a previous request which failed to send a request body. PR 46949 [Ruediger Pluem] + *) SECURITY: CVE-2009-1195 (cve.mitre.org) + Prevent the "Includes" Option from being enabled in an .htaccess + file if the AllowOverride restrictions do not permit it. + [Jonathan Peatfield , Joe Orton, + Ruediger Pluem] + *) mod_proxy_ajp: Check more strictly that the backend follows the AJP protocol. [Mladen Turk] Index: modules/filters/mod_include.c =================================================================== --- modules/filters/mod_include.c (revision 773036) +++ modules/filters/mod_include.c (working copy) @@ -3574,7 +3574,7 @@ intern->seen_eos = 0; intern->state = PARSE_PRE_HEAD; ctx->flags = (SSI_FLAG_PRINTING | SSI_FLAG_COND_TRUE); - if (ap_allow_options(r) & OPT_INCNOEXEC) { + if ((ap_allow_options(r) & OPT_INC_WITH_EXEC) == 0) { ctx->flags |= SSI_FLAG_NO_EXEC; } intern->accessenable = conf->accessenable; Index: include/http_core.h =================================================================== --- include/http_core.h (revision 773036) +++ include/http_core.h (working copy) @@ -65,7 +65,7 @@ #define OPT_NONE 0 /** Indexes directive */ #define OPT_INDEXES 1 -/** Includes directive */ +/** SSI is enabled without exec= permission */ #define OPT_INCLUDES 2 /** FollowSymLinks directive */ #define OPT_SYM_LINKS 4 @@ -73,14 +73,14 @@ #define OPT_EXECCGI 8 /** directive unset */ #define OPT_UNSET 16 -/** IncludesNOEXEC directive */ -#define OPT_INCNOEXEC 32 +/** SSI exec= permission is permitted, iff OPT_INCLUDES is also set */ +#define OPT_INC_WITH_EXEC 32 /** SymLinksIfOwnerMatch directive */ #define OPT_SYM_OWNER 64 /** MultiViews directive */ #define OPT_MULTI 128 /** All directives */ -#define OPT_ALL (OPT_INDEXES|OPT_INCLUDES|OPT_SYM_LINKS|OPT_EXECCGI) +#define OPT_ALL (OPT_INDEXES|OPT_INCLUDES|OPT_INC_WITH_EXEC|OPT_SYM_LINKS|OPT_EXECCGI) /** @} */ /**