From: Cliff Woolley Date: Mon, 27 Aug 2001 14:43:19 +0000 (+0000) Subject: The consensus now is that mod_include should just butt out of any decisions X-Git-Tag: 2.0.25~28 X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=3e879a75e07bd706bd0ea91618d17a20734788c4;p=apache The consensus now is that mod_include should just butt out of any decisions about what to do with different request methods. It's true that mod_include in 1.3.x did not allow POST, but back then it was a handler. Now it's a filter and can be used to filter the output of dynamically generated responses, even ones resulting from a POST request. So if mod_include is in the filter stack, it should just blindly parse the brigade regardless of request method. This still fixes the security problem, it just fixes it by being more flexible rather than less so. git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@90728 13f79535-47bb-0310-9956-ffa450edef68 --- diff --git a/CHANGES b/CHANGES index 428d74ece5..15f0c3e7ba 100644 --- a/CHANGES +++ b/CHANGES @@ -16,6 +16,10 @@ Changes with Apache 2.0.25-dev only runs against real blocks. [William Rowe] + *) Fix a security problem in mod_include which would allow + an SSI document to be passed to the client unparsed. + [Cliff Woolley, Brian Pane] + *) Introduce the map_to_storage hook, which allows modules to bypass the directory_walk and file_walk for non-file requests. TRACE shortcut moved to http_protocol.c as APR_HOOK_MIDDLE, and the diff --git a/modules/filters/mod_include.c b/modules/filters/mod_include.c index bc24085c5b..f89decdb90 100644 --- a/modules/filters/mod_include.c +++ b/modules/filters/mod_include.c @@ -2728,18 +2728,6 @@ static apr_status_t includes_filter(ap_filter_t *f, apr_bucket_brigade *b) if (!(ap_allow_options(r) & OPT_INCLUDES)) { return ap_pass_brigade(f->next, b); } - if (r->method_number != M_GET) { - ap_allow_methods(r, REPLACE_ALLOW, "GET", "OPTIONS", NULL); - if (r->method_number == M_OPTIONS) { - /* it's too late to set the Allow header the "right way" */ - apr_table_setn(r->headers_out, "Allow", - "GET, HEAD, OPTIONS, TRACE"); - return ap_pass_brigade(f->next, b); - } - r->status = HTTP_METHOD_NOT_ALLOWED; - ap_send_error_response(r, 0); - return APR_SUCCESS; - } if (!f->ctx) { f->ctx = ctx = apr_pcalloc(f->c->pool, sizeof(*ctx));