The consensus now is that mod_include should just butt out of any decisions

about what to do with different request methods.  It's true that mod_include
in 1.3.x did not allow POST, but back then it was a handler.  Now it's a
filter and can be used to filter the output of dynamically generated responses,
even ones resulting from a POST request.  So if mod_include is in the filter
stack, it should just blindly parse the brigade regardless of request method.

This still fixes the security problem, it just fixes it by being more flexible
rather than less so.

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@90728 13f79535-47bb-0310-9956-ffa450edef68

diff --git a/CHANGES b/CHANGES
index 428d74ece59097c3d13f54d172c3ceca68f1f22c..15f0c3e7ba2855e4cc3a1f54eb8a3ee4d5b4e4dc 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -16,6 +16,10 @@ Changes with Apache 2.0.25-dev
      only runs against real <Directory > blocks.
      [William Rowe]
 
+  *) Fix a security problem in mod_include which would allow
+     an SSI document to be passed to the client unparsed.
+     [Cliff Woolley, Brian Pane]
+
   *) Introduce the map_to_storage hook, which allows modules to bypass
      the directory_walk and file_walk for non-file requests.  TRACE
      shortcut moved to http_protocol.c as APR_HOOK_MIDDLE, and the

diff --git a/modules/filters/mod_include.c b/modules/filters/mod_include.c
index bc24085c5b8d2fc94eb2a994fb798d463a24de48..f89decdb9067b980da0229bf88ba1698e7c5bf54 100644 (file)
--- a/modules/filters/mod_include.c
+++ b/modules/filters/mod_include.c
@@ -2728,18 +2728,6 @@ static apr_status_t includes_filter(ap_filter_t *f, apr_bucket_brigade *b)
     if (!(ap_allow_options(r) & OPT_INCLUDES)) {
         return ap_pass_brigade(f->next, b);
     }
-    if (r->method_number != M_GET) {
-        ap_allow_methods(r, REPLACE_ALLOW, "GET", "OPTIONS", NULL);
-        if (r->method_number == M_OPTIONS) {
-            /* it's too late to set the Allow header the "right way" */
-            apr_table_setn(r->headers_out, "Allow",
-                           "GET, HEAD, OPTIONS, TRACE");
-            return ap_pass_brigade(f->next, b);
-        }
-        r->status = HTTP_METHOD_NOT_ALLOWED;
-        ap_send_error_response(r, 0);
-        return APR_SUCCESS;
-    }
 
     if (!f->ctx) {
         f->ctx    = ctx      = apr_pcalloc(f->c->pool, sizeof(*ctx));