Fix a security problem which would allow an SSI document

to be passed to the client unparsed.

Reported by:	Brian Pane

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@90668 13f79535-47bb-0310-9956-ffa450edef68

diff --git a/CHANGES b/CHANGES
index 01bf04ce87a5a43e8f4bc21c99993a834be6fa4c..de0d1f28d6f7261be3bd707305840a5a883b6214 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -1,5 +1,9 @@
 Changes with Apache 2.0.25-dev
 
+  *) Fix a security problem in mod_include which would allow
+     an SSI document to be passed to the client unparsed.
+     [Cliff Woolley, Brian Pane, William Rowe]
+
   *) Introduce the map_to_storage hook, which allows modules to bypass
      the directory_walk and file_walk for non-file requests.  TRACE
      shortcut moved to http_protocol.c as APR_HOOK_MIDDLE, and the

diff --git a/modules/filters/mod_include.c b/modules/filters/mod_include.c
index 6230eb2294a24501166097a916c8d4197faa1d26..bc24085c5b8d2fc94eb2a994fb798d463a24de48 100644 (file)
--- a/modules/filters/mod_include.c
+++ b/modules/filters/mod_include.c
@@ -2728,9 +2728,17 @@ static apr_status_t includes_filter(ap_filter_t *f, apr_bucket_brigade *b)
     if (!(ap_allow_options(r) & OPT_INCLUDES)) {
         return ap_pass_brigade(f->next, b);
     }
-    r->allowed |= (AP_METHOD_BIT << M_GET);
     if (r->method_number != M_GET) {
-        return ap_pass_brigade(f->next, b);
+        ap_allow_methods(r, REPLACE_ALLOW, "GET", "OPTIONS", NULL);
+        if (r->method_number == M_OPTIONS) {
+            /* it's too late to set the Allow header the "right way" */
+            apr_table_setn(r->headers_out, "Allow",
+                           "GET, HEAD, OPTIONS, TRACE");
+            return ap_pass_brigade(f->next, b);
+        }
+        r->status = HTTP_METHOD_NOT_ALLOWED;
+        ap_send_error_response(r, 0);
+        return APR_SUCCESS;
     }
 
     if (!f->ctx) {