Re: cvs commit: httpd-2.0/modules/filters mod_include.c

Sat, 25 Aug 2001 18:40:41 -0700 

I was just wondering if a filter should be doing any checking of the
method being passed.

shouldn't that be done in the handler?


[EMAIL PROTECTED] wrote:

> jwoolley    01/08/25 17:00:39
> 
>   Modified:    .        CHANGES
>                modules/filters mod_include.c
>   Log:
>   Fix a security problem which would allow an SSI document
>   to be passed to the client unparsed.
>   
>   Reported by:        Brian Pane
>   
>   Revision  Changes    Path
>   1.330     +4 -0      httpd-2.0/CHANGES
>   
>   Index: CHANGES
>   ===================================================================
>   RCS file: /home/cvs/httpd-2.0/CHANGES,v
>   retrieving revision 1.329
>   retrieving revision 1.330
>   diff -u -d -u -r1.329 -r1.330
>   --- CHANGES 2001/08/25 23:43:18     1.329
>   +++ CHANGES 2001/08/26 00:00:39     1.330
>   @@ -1,5 +1,9 @@
>    Changes with Apache 2.0.25-dev
>    
>   +  *) Fix a security problem in mod_include which would allow
>   +     an SSI document to be passed to the client unparsed.
>   +     [Cliff Woolley, Brian Pane, William Rowe]
>   +
>      *) Introduce the map_to_storage hook, which allows modules to bypass
>         the directory_walk and file_walk for non-file requests.  TRACE
>         shortcut moved to http_protocol.c as APR_HOOK_MIDDLE, and the
>   
>   
>   
>   1.134     +10 -2     httpd-2.0/modules/filters/mod_include.c
>   
>   Index: mod_include.c
>   ===================================================================
>   RCS file: /home/cvs/httpd-2.0/modules/filters/mod_include.c,v
>   retrieving revision 1.133
>   retrieving revision 1.134
>   diff -u -d -u -r1.133 -r1.134
>   --- mod_include.c   2001/08/25 05:26:05     1.133
>   +++ mod_include.c   2001/08/26 00:00:39     1.134
>   @@ -2728,9 +2728,17 @@
>        if (!(ap_allow_options(r) & OPT_INCLUDES)) {
>            return ap_pass_brigade(f->next, b);
>        }
>   -    r->allowed |= (AP_METHOD_BIT << M_GET);
>        if (r->method_number != M_GET) {
>   -        return ap_pass_brigade(f->next, b);
>   +        ap_allow_methods(r, REPLACE_ALLOW, "GET", "OPTIONS", NULL);
>   +        if (r->method_number == M_OPTIONS) {
>   +            /* it's too late to set the Allow header the "right way" */
>   +            apr_table_setn(r->headers_out, "Allow",
>   +                           "GET, HEAD, OPTIONS, TRACE");
>   +            return ap_pass_brigade(f->next, b);
>   +        }
>   +        r->status = HTTP_METHOD_NOT_ALLOWED;
>   +        ap_send_error_response(r, 0);
>   +        return APR_SUCCESS;
>        }
>    
>        if (!f->ctx) {
>   
>   
>   
>

Reply via email to