From: Cliff Woolley Date: Sun, 26 Aug 2001 00:00:39 +0000 (+0000) Subject: Fix a security problem which would allow an SSI document X-Git-Tag: 2.0.25~56 X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=8c2f7f862f7b2c099f464f0dff19cca6a0848d89;p=apache Fix a security problem which would allow an SSI document to be passed to the client unparsed. Reported by: Brian Pane git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@90668 13f79535-47bb-0310-9956-ffa450edef68 --- diff --git a/CHANGES b/CHANGES index 01bf04ce87..de0d1f28d6 100644 --- a/CHANGES +++ b/CHANGES @@ -1,5 +1,9 @@ Changes with Apache 2.0.25-dev + *) Fix a security problem in mod_include which would allow + an SSI document to be passed to the client unparsed. + [Cliff Woolley, Brian Pane, William Rowe] + *) Introduce the map_to_storage hook, which allows modules to bypass the directory_walk and file_walk for non-file requests. TRACE shortcut moved to http_protocol.c as APR_HOOK_MIDDLE, and the diff --git a/modules/filters/mod_include.c b/modules/filters/mod_include.c index 6230eb2294..bc24085c5b 100644 --- a/modules/filters/mod_include.c +++ b/modules/filters/mod_include.c @@ -2728,9 +2728,17 @@ static apr_status_t includes_filter(ap_filter_t *f, apr_bucket_brigade *b) if (!(ap_allow_options(r) & OPT_INCLUDES)) { return ap_pass_brigade(f->next, b); } - r->allowed |= (AP_METHOD_BIT << M_GET); if (r->method_number != M_GET) { - return ap_pass_brigade(f->next, b); + ap_allow_methods(r, REPLACE_ALLOW, "GET", "OPTIONS", NULL); + if (r->method_number == M_OPTIONS) { + /* it's too late to set the Allow header the "right way" */ + apr_table_setn(r->headers_out, "Allow", + "GET, HEAD, OPTIONS, TRACE"); + return ap_pass_brigade(f->next, b); + } + r->status = HTTP_METHOD_NOT_ALLOWED; + ap_send_error_response(r, 0); + return APR_SUCCESS; } if (!f->ctx) {