From 47fde5a7e8dde156bcd51dde3c99eeb1a9d65171 Mon Sep 17 00:00:00 2001 From: =?utf8?q?Igor=20Gali=C4=87?= Date: Tue, 28 Dec 2010 15:56:46 +0000 Subject: [PATCH] Applying patch from PR 33078 (with slight changes to its return values) This patch disallows the mixing of relative (+/-) and absolute Options where insensible. git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1053375 13f79535-47bb-0310-9956-ffa450edef68 --- CHANGES | 3 +++ docs/manual/mod/core.xml | 6 +++--- server/core.c | 26 +++++++++++++++++++++++++- 3 files changed, 31 insertions(+), 4 deletions(-) diff --git a/CHANGES b/CHANGES index f554b542b3..268290006c 100644 --- a/CHANGES +++ b/CHANGES @@ -2,6 +2,9 @@ Changes with Apache 2.3.11 + *) core: Disallow the mixing of relative and absolute Options PR 33708. + [Sönke Tesch ] + *) core: When exporting request headers to HTTP_* environment variables, drop variables whose names contain invalid characters. Describe in the docs how to restore the old behaviour. [Malte S. Stretz ] diff --git a/docs/manual/mod/core.xml b/docs/manual/mod/core.xml index a22ed5e908..b301edc79e 100644 --- a/docs/manual/mod/core.xml +++ b/docs/manual/mod/core.xml @@ -3016,10 +3016,10 @@ directory - are removed from the options currently in force.

- Warning + Note

Mixing Options with a + or - - with those without is not valid syntax, and is likely - to cause unexpected results.

+ - with those without is not valid syntax, and will be + rejected during server startup by the syntax check with an abort.

For example, without any + and - symbols:

diff --git a/server/core.c b/server/core.c index dc1f1c4201..169aac4a72 100644 --- a/server/core.c +++ b/server/core.c @@ -1409,6 +1409,8 @@ static const char *set_options(cmd_parms *cmd, void *d_, const char *l) core_dir_config *d = d_; allow_options_t opt; int first = 1; + int merge = 0; + int all_none = 0; char action; while (l[0]) { @@ -1417,10 +1419,16 @@ static const char *set_options(cmd_parms *cmd, void *d_, const char *l) if (*w == '+' || *w == '-') { action = *(w++); + if (!merge && !first && !all_none) { + return "Either all Options must start with + or -, or no Option may."; + } + merge = 1; } else if (first) { d->opts = OPT_NONE; - first = 0; + } + else if (merge) { + return "Either all Options must start with + or -, or no Option may."; } if (!strcasecmp(w, "Indexes")) { @@ -1448,10 +1456,24 @@ static const char *set_options(cmd_parms *cmd, void *d_, const char *l) opt = OPT_MULTI|OPT_EXECCGI; } else if (!strcasecmp(w, "None")) { + if (!first) { + return "'Options None' must be the first Option given."; + } + else if (merge) { /* Only works since None may not follow any other option. */ + return "You may not use 'Options +None' or 'Options -None'."; + } opt = OPT_NONE; + all_none = 1; } else if (!strcasecmp(w, "All")) { + if (!first) { + return "'Options All' must be the first option given."; + } + else if (merge) { /* Only works since All may not follow any other option. */ + return "You may not use 'Options +All' or 'Options -All'."; + } opt = OPT_ALL; + all_none = 1; } else { return apr_pstrcat(cmd->pool, "Illegal option ", w, NULL); @@ -1474,6 +1496,8 @@ static const char *set_options(cmd_parms *cmd, void *d_, const char *l) else { d->opts |= opt; } + + first = 0; } return NULL; -- 2.40.0