Even with the CVE-2011-3607 it is still possible to DOS the server by consuming huge amounts of memory with mod_setenvif using a specially crafted configuration.
Here's a backport of an existing fix in 2.4.x which resolves the issue I reproduced. Note that unlike in 2.4.x we need ap_pregsub to handle somewhat arbitrary string lengths. I picked 64MB, which can be overridden at compile time. http://people.apache.org/~trawick/ap_pregsub_ex_22x.txt This is essentially a grab of ap_pregsub/ap_pregsub_ex from 2.4.x HEAD with the minimal required changes plus http://svn.apache.org/viewvc?view=revision&revision=1198966 See the XXX notes in the patch for apparent semantic changes which I probably need to back out. (I haven't researched that yet.) Normally we use STATUS to track this but I don't think it is as polished as we normally expect. Still to do (tomorrow?): Investigate the XXX's, run the regression suite. Concerns with the patch? Interested in any of this in the final 2.0.x release? TIA! -- Born in Roswell... married an alien... http://emptyhammock.com/
