Re: [concept PATCH] CVE-2009-1195 tweaks to provide binary compatibility for stable branches

Mon, 25 May 2009 00:46:23 -0700 

On Fri, May 22, 2009 at 05:12:31PM -0400, Jeff Trawick wrote:
> (untested)
> 
> ap_allow_options() is how applications, including our mod_include, access
> the enabled options for a given request (other than evil apps which define
> CORE_PRIVATE and locate the core_dir_config).  As this is a callable
> function, it can map internal, hidden bitmaps as appropriate before
> returning to the caller.

Interesting idea!  I'm concerned this is going to be overly intrusive, 
what with requiring the changes to all uses of OPT_ALL internally.  Does 
it really matter what value of OPT_ALL is exposed to modules?

(or specifically: does it break compatibility to change what value of 
OPT_ALL is exposed to modules?)

Something simpler might be sufficient?  Patch against 2.2.x still passes 
the CVE-2009-1195 test: (proof of concept for a bank holiday morning ;)

Index: modules/filters/mod_include.c
===================================================================
--- modules/filters/mod_include.c       (revision 777502)
+++ modules/filters/mod_include.c       (working copy)
@@ -3565,7 +3565,7 @@
         intern->seen_eos = 0;
         intern->state = PARSE_PRE_HEAD;
         ctx->flags = (SSI_FLAG_PRINTING | SSI_FLAG_COND_TRUE);
-        if ((ap_allow_options(r) & OPT_INC_WITH_EXEC) == 0) {
+        if (ap_allow_options(r) & OPT_INCNOEXEC) {
             ctx->flags |= SSI_FLAG_NO_EXEC;
         }
         intern->accessenable = conf->accessenable;
Index: include/http_core.h
===================================================================
--- include/http_core.h (revision 777502)
+++ include/http_core.h (working copy)
@@ -73,14 +73,18 @@
 #define OPT_EXECCGI 8
 /**  directive unset */
 #define OPT_UNSET 16
-/**  SSI exec= permission is permitted, iff OPT_INCLUDES is also set */
-#define OPT_INC_WITH_EXEC 32
+/**  IncludesNOEXEC directive */
+#define OPT_INCNOEXEC 32
+#ifdef CORE_PRIVATE
+/**  internal-only -- do not use! */
+#define OPT_INC_WITH_EXEC OPT_INCNOEXEC
+#endif
 /** SymLinksIfOwnerMatch directive */
 #define OPT_SYM_OWNER 64
 /** MultiViews directive */
 #define OPT_MULTI 128
 /**  All directives */
-#define OPT_ALL 
(OPT_INDEXES|OPT_INCLUDES|OPT_INC_WITH_EXEC|OPT_SYM_LINKS|OPT_EXECCGI)
+#define OPT_ALL 
(OPT_INDEXES|OPT_INCLUDES|OPT_INCNOEXEC|OPT_SYM_LINKS|OPT_EXECCGI)
 /** @} */
 
 /**
Index: server/core.c
===================================================================
--- server/core.c       (revision 777502)
+++ server/core.c       (working copy)
@@ -661,7 +661,7 @@
     core_dir_config *conf =
       (core_dir_config *)ap_get_module_config(r->per_dir_config, &core_module);
 
-    return conf->opts;
+    return conf->opts ^ OPT_INC_WITH_EXEC;
 }
 
 AP_DECLARE(int) ap_allow_overrides(request_rec *r)

Reply via email to