On Tue, Apr 28, 2009 at 02:48:52PM +0100, Joe Orton wrote: > 5) I'll post an updated patch soon which fixes the behaviour of "Options > Includes"/"Options +IncludesNoExec" such that SSI is permitted without > exec, as is the current 2.2.x behaviour, since that seems to be the > rough consensus. Jon also spotted a minor logic flaw in the patch which > I'll fix too.
Rather than posting another round, I've committed the updated patch which includes those changes: http://svn.apache.org/viewvc?rev=772997&view=rev Along with a test suite: http://svn.apache.org/viewvc?rev=773001&view=rev For reference, this issue has been assigned CVE name CVE-2009-1195. Thanks a lot to everybody who has helped out with this issue. Regards, Joe
