* Fix for the following configuration where the exec command was disabled

  in /subdir. All CVE-2009-1195 tests still pass with this patch.

# only two containers in the config

<Directory />
Options Includes
AllowOverride None
</Directory>

<Directory /subdir>
# with this container, mod_cgi/mod_cgid complains about exec being off
# without it, exec cmd= works as expected
SetEnv foo bar
</Directory>

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@773322 13f79535-47bb-0310-9956-ffa450edef68

diff --git a/server/core.c b/server/core.c
index ad6494ff77236e449f0d59382e6f3f88b5474373..8c0a828159dada5cd60fc1b7a618892fe3ceab7d 100644 (file)
--- a/server/core.c
+++ b/server/core.c
@@ -242,8 +242,9 @@ static void *merge_core_dir_configs(apr_pool_t *a, void *basev, void *newv)
         /* if Includes was enabled without exec in the new config, but
          * was enabled with exec in the base, then disable exec in the
          * resulting options. */
-        if ((base->opts & OPT_INC_WITH_EXEC) 
-            && (new->opts & OPT_INC_WITH_EXEC) == 0) {
+        if ((base->opts & OPT_INC_WITH_EXEC)
+            && (new->opts & OPT_INC_WITH_EXEC) == 0
+            && (new->opts & OPT_INCLUDES)) {
             conf->opts &= ~OPT_INC_WITH_EXEC;
         }
     }