On Mon, Jan 12, 2015 at 11:25:53AM -0500, Eric Covener wrote: > On Fri, Jan 9, 2015 at 3:23 PM, Joe Orton <jor...@redhat.com> wrote: > > Either way, the fix for CVE-2013-5704 ends up breaking backwards > > compatibility with existing 2.4.x builds of mod_wsgi, which is kind of > > Bad. I don't have a good proposal for how to fix or avoid this. Worst > > case, we make clear the mod_wsgi case is API/ABI abuse and warn binary > > distributors they have to handle this by rebuilding. > > Is there anything we can do in 2.4.11 for packagers who haven't picked > this up yet since we're already picking up a problematic extension of > the struct? > > What if we stashed away the MMN after these fields, and validated it? > Or just a request_rec version?
It would be possible to do some hack. Say, stash something in r->notes that this is a "real" request_rec, and check for that before accessing r->trailers (which only happens in one place). There may well be a cheaper way than modifying r->notes.