Great catch; +1 to commit to 2.2.x and http://svn.apache.org/repos/asf/httpd/httpd/branches/2.2.x-merge-http-strict/ branches.
And thanks for adding the breadcrumb for the next sucker to miss this :-O On Fri, Feb 17, 2017 at 3:30 AM, Joe Orton <jor...@redhat.com> wrote: > Found during QA of the CVE-2016-8743 patch here. The merging logic in > merge_core_server_configs is (confusingly) inverted from 2.2 to 2.4, so > e.g. HttpProtocolOptions doesn't inherit from global to vhost configs in > 2.2.32. :( > > Index: server/core.c > =================================================================== > --- server/core.c (revision 1783354) > +++ server/core.c (working copy) > @@ -546,15 +546,19 @@ > ? virt->merge_trailers > : base->merge_trailers; > > - if (virt->http09_enable != AP_HTTP09_UNSET) > - conf->http09_enable = virt->http09_enable; > + if (conf->http09_enable == AP_HTTP09_UNSET) > + conf->http09_enable = base->http09_enable; > > - if (virt->http_conformance != AP_HTTP_CONFORMANCE_UNSET) > - conf->http_conformance = virt->http_conformance; > + if (conf->http_conformance == AP_HTTP_CONFORMANCE_UNSET) > + conf->http_conformance = base->http_conformance; > > - if (virt->http_methods != AP_HTTP_METHODS_UNSET) > - conf->http_methods = virt->http_methods; > + if (conf->http_methods == AP_HTTP_METHODS_UNSET) > + conf->http_methods = base->http_methods; > > + /* N.B. If you backport things here from 2.4, note that the > + * merging logic needs to be inverted, since conf is initially a > + * copy of vertv not basev. */ > + > return conf; > } > >
