Applying patch from PR 33078 (with slight changes to its return values)

This patch disallows the mixing of relative (+/-) and absolute Options where insensible.

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1053375 13f79535-47bb-0310-9956-ffa450edef68

diff --git a/CHANGES b/CHANGES
index f554b542b35b051fe510bd28e67dbe652057a731..268290006c865015a56781704092ef5241ba2fa5 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -2,6 +2,9 @@
 
 Changes with Apache 2.3.11
 
+  *) core: Disallow the mixing of relative and absolute Options PR 33708.
+     [Sönke Tesch <st kino-fahrplan.de>]
+
   *) core: When exporting request headers to HTTP_* environment variables,
      drop variables whose names contain invalid characters. Describe in the
      docs how to restore the old behaviour. [Malte S. Stretz <mss apache org>]

diff --git a/docs/manual/mod/core.xml b/docs/manual/mod/core.xml
index a22ed5e908a5f23cee9a054630ebb67df74056fe..b301edc79ef107abf6dcc7d0e90a68f36d87bf69 100644 (file)
--- a/docs/manual/mod/core.xml
+++ b/docs/manual/mod/core.xml
@@ -3016,10 +3016,10 @@ directory</description>
     <code>-</code> are removed from the options currently in
     force. </p>
 
-    <note type="warning"><title>Warning</title>
+    <note><title>Note</title>
     <p>Mixing <directive>Options</directive> with a <code>+</code> or
-    <code>-</code> with those without is not valid syntax, and is likely
-    to cause unexpected results.</p>
+    <code>-</code> with those without is not valid syntax, and will be
+    rejected during server startup by the syntax check with an abort.</p>
     </note>
 
     <p>For example, without any <code>+</code> and <code>-</code> symbols:</p>

diff --git a/server/core.c b/server/core.c
index dc1f1c4201d5c4e2df8b9608961c9d6c8b813fc7..169aac4a72236d7f4214a2a79e659616cdf34a28 100644 (file)
--- a/server/core.c
+++ b/server/core.c
@@ -1409,6 +1409,8 @@ static const char *set_options(cmd_parms *cmd, void *d_, const char *l)
     core_dir_config *d = d_;
     allow_options_t opt;
     int first = 1;
+    int merge = 0;
+    int all_none = 0;
     char action;
 
     while (l[0]) {
@@ -1417,10 +1419,16 @@ static const char *set_options(cmd_parms *cmd, void *d_, const char *l)
 
         if (*w == '+' || *w == '-') {
             action = *(w++);
+            if (!merge && !first && !all_none) {
+                return "Either all Options must start with + or -, or no Option may.";
+            }
+            merge = 1;
         }
         else if (first) {
             d->opts = OPT_NONE;
-            first = 0;
+        }
+        else if (merge) {
+            return "Either all Options must start with + or -, or no Option may.";
         }
 
         if (!strcasecmp(w, "Indexes")) {
@@ -1448,10 +1456,24 @@ static const char *set_options(cmd_parms *cmd, void *d_, const char *l)
             opt = OPT_MULTI|OPT_EXECCGI;
         }
         else if (!strcasecmp(w, "None")) {
+            if (!first) {
+                return "'Options None' must be the first Option given.";
+            }
+            else if (merge) { /* Only works since None may not follow any other option. */
+                return "You may not use 'Options +None' or 'Options -None'.";
+            }
             opt = OPT_NONE;
+            all_none = 1;
         }
         else if (!strcasecmp(w, "All")) {
+            if (!first) {
+                return "'Options All' must be the first option given.";
+            }
+            else if (merge) { /* Only works since All may not follow any other option. */
+                return "You may not use 'Options +All' or 'Options -All'.";
+            }
             opt = OPT_ALL;
+            all_none = 1;
         }
         else {
             return apr_pstrcat(cmd->pool, "Illegal option ", w, NULL);
@@ -1474,6 +1496,8 @@ static const char *set_options(cmd_parms *cmd, void *d_, const char *l)
         else {
             d->opts |= opt;
         }
+
+        first = 0;
     }
 
     return NULL;