core: Disallow Methods' registration at run time (.htaccess), they may be

used only if registered at init time (httpd.conf).

Calling ap_method_register() in children processes is not the right scope
since it won't be shared for all requests.

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1807655 13f79535-47bb-0310-9956-ffa450edef68

diff --git a/CHANGES b/CHANGES
index 4ca0e4cc8227e3a34aaaf529c80c4b80040ee038..2b744675e78ae1e27a7e5f8f01f479b167b66e79 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -1,6 +1,9 @@
                                                          -*- coding: utf-8 -*-
 Changes with Apache 2.5.0
 
+  *) core: Disallow Methods' registration at runtime (.htaccess), they may be
+     used only if registered at init time (httpd.conf).  [Yann Ylavic]
+
   *) mod_md: v0.9.1:
      - various fixes in MDRenewWindow handling when specifying percent. Serialization changed. If 
        someone already used percent configurations, it is advised to change these to a new value,

diff --git a/server/core.c b/server/core.c
index 76adb4d8693813768ee678e1b90279d6a71095b7..c9b6837bd41e86da5816cbe1f6693674df0f97f8 100644 (file)
--- a/server/core.c
+++ b/server/core.c
@@ -2331,6 +2331,12 @@ AP_CORE_DECLARE_NONSTD(const char *) ap_limit_section(cmd_parms *cmd,
             /* method has not been registered yet, but resource restriction
              * is always checked before method handling, so register it.
              */
+            if (cmd->pool == cmd->temp_pool) {
+                /* In .htaccess, we can't globally register new methods. */
+                return apr_psprintf(cmd->pool, "Could not register method '%s' "
+                                   "for %s from .htaccess configuration",
+                                    method, cmd->cmd->name);
+            }
             methnum = ap_method_register(cmd->pool,
                                          apr_pstrdup(cmd->pool, method));
         }