On Mon, Jun 1, 2009 at 7:30 AM, Stefan Fritsch <[email protected]> wrote:
> Hi, > > when backporting the CVE-2009-1195 fix in r773881+r779472 from > branches/2.2.x to 2.2.9, I noticed that it causes a test failure when > compiling mod_perl 2.0.4. Since I am neither familiar with mod_perl nor with > the mod_include internals, maybe someone else can check if this is a > necessary breakage or if the fix can be adjusted to be more backward > compatible. > > The test output: > ================ > t/api/add_config........................# connecting to > http://localhost:8560/TestAPI__add_config/ > 1..9 > # Running under perl version 5.010000 for linux > # Current time local: Mon Jun 1 15:56:35 2009 > # Current time GMT: Mon Jun 1 13:56:35 2009 > # Using Test.pm version 1.25 > # Using Apache/Test.pm version 1.31 > > ... > > # expected: 8 > # received: 40 > not ok 7 > > ... > > FAILED test 7 > Failed 1/9 tests, 88.89% okay > ============= > > The interesting test file in mod_perls source is ./t/response/TestAPI/ > add_config.pm. > > It looks like the test sets "Options ExecCGI" and expects $r->allow_options > to be 8 (Apache2::Const::OPT_EXECCGI), but the actual value is 40 > (Apache2::Const::OPT_EXECCGI|Apache2::Const::OPT_INCNOEXEC). > Gosh we su^H^H^H^H... Thanks so much! The simple flipping of that bit in ap_allow_options() is incorrect; it needs to do so only if OPT_INCLUDES is turned on. This patch works for me; please try it with the Perl suite. Index: server/core.c =================================================================== --- server/core.c (revision 780727) +++ server/core.c (working copy) @@ -665,7 +665,12 @@ * inverted, such that the exposed semantics match that of * OPT_INCNOEXEC; i.e., the bit is only enabled if exec= is *not* * permitted. */ - return conf->opts ^ OPT_INC_WITH_EXEC; + if (conf->opts & OPT_INCLUDES) { + return conf->opts ^ OPT_INC_WITH_EXEC; + } + else { + return conf->opts; + } }
