[PATCH] mod_ssl: Stricter directive context checking

Martin Kraemer Thu, 30 Aug 2007 04:02:50 -0700

In mod_ssl's directive parser, many directives do not check the allowed
contexts, thus misleading the user that, e.g., in the configuration...


  <LimitExcept GET OPTIONS>
     Require valid-user
     <IfModule ssl_module>
       SSLRequireSSL
     </IfModule>
  </LimitExcept>

the SSLRequireSSL directive indeed applies only to the "destructive"
methods (PUT, PROPSET, ...), while in fact it applies to all methods.

The patch is just a start: more ap_check_cmd_context() calls were
desirable...

  Martin
-- 
<[EMAIL PROTECTED]>        |     Fujitsu Siemens
http://www.fujitsu-siemens.com/imprint.html | 81730  Munich,  Germany

diff -burp httpd-2.2.4.old5/modules/ssl/ssl_engine_config.c 
httpd-2.2.4/modules/ssl/ssl_engine_config.c
--- httpd-2.2.4.old5/modules/ssl/ssl_engine_config.c    2006-07-23 
13:11:58.000000000 +0200
+++ httpd-2.2.4/modules/ssl/ssl_engine_config.c 2007-08-29 19:32:59.000686000 
+0200
@@ -1159,6 +1159,11 @@ const char *ssl_cmd_SSLOptions(cmd_parms
 const char *ssl_cmd_SSLRequireSSL(cmd_parms *cmd, void *dcfg)
 {
     SSLDirConfigRec *dc = (SSLDirConfigRec *)dcfg;
+    const char *err = ap_check_cmd_context(cmd, 
NOT_IN_LIMIT|NOT_IN_LOCATION|NOT_IN_FILES);
+
+    if (err != NULL) {
+        return err;
+    }
 
     dc->bSSLRequired = TRUE;
 
@@ -1172,6 +1177,11 @@ const char *ssl_cmd_SSLRequire(cmd_parms
     SSLDirConfigRec *dc = (SSLDirConfigRec *)dcfg;
     ssl_expr *expr;
     ssl_require_t *require;
+    const char *err = ap_check_cmd_context(cmd, 
NOT_IN_LIMIT|NOT_IN_LOCATION|NOT_IN_FILES);
+
+    if (err != NULL) {
+        return err;
+    }
 
     if (!(expr = ssl_expr_comp(cmd->pool, (char *)arg))) {
         return apr_pstrcat(cmd->pool, "SSLRequire: ",

[PATCH] mod_ssl: Stricter directive context checking

Reply via email to