envvars: Fix insecure handling of LD_LIBRARY_PATH that could lead to the
current working directory to be searched for DSOs. [Stefan Fritsch]
+ *) core: Disallow directives in AllowOverrideList which are only allowed
+ in VirtualHost or server context. These are usually not prepared to be
+ called in .htaccess files. [Stefan Fritsch]
+
*) core: In AllowOverrideList, do not allow 'None' together with other
directives. PR 52823. [Stefan Fritsch]
PATCHES ACCEPTED TO BACKPORT FROM TRUNK:
[ start all new proposals below, under PATCHES PROPOSED. ]
- * core: In AllowOverrideList, disallow directives which are only allowed
- in VirtualHost or server context.
- Trunk patch: http://svn.apache.org/viewvc?rev=1302665&view=rev
- 2.4.x patch: Trunk patch works (skip docs/log-message-tags/next-number)
- +1: sf, covener, druggeri
PATCHES PROPOSED TO BACKPORT FROM TRUNK:
const command_rec *result = NULL;
module *mod = ap_top_module;
result = ap_find_command_in_modules(argv[i], &mod);
- if (result)
- apr_table_set(d->override_list, argv[i], "1");
- else
+ if (result == NULL) {
ap_log_error(APLOG_MARK, APLOG_WARNING, 0, cmd->server,
APLOGNO(00116) "Discarding unrecognized "
"directive `%s' in AllowOverrideList at %s:%d",
argv[i], cmd->directive->filename,
cmd->directive->line_num);
+ continue;
+ }
+ else if ((result->req_override & (OR_ALL|ACCESS_CONF)) == 0) {
+ ap_log_error(APLOG_MARK, APLOG_WARNING, 0, cmd->server,
+ APLOGNO(02304) "Discarding directive `%s' not "
+ "allowed in AllowOverrideList at %s:%d",
+ argv[i], cmd->directive->filename,
+ cmd->directive->line_num);
+ continue;
+ }
+ else {
+ apr_table_set(d->override_list, argv[i], "1");
+ }
}
}