+1 On Fri, Feb 17, 2017 at 12:37 PM, William A Rowe Jr <[email protected]> wrote: > Great catch; +1 to commit to 2.2.x and > http://svn.apache.org/repos/asf/httpd/httpd/branches/2.2.x-merge-http-strict/ > branches. > > And thanks for adding the breadcrumb for the next sucker to miss this :-O > > On Fri, Feb 17, 2017 at 3:30 AM, Joe Orton <[email protected]> wrote: >> Found during QA of the CVE-2016-8743 patch here. The merging logic in >> merge_core_server_configs is (confusingly) inverted from 2.2 to 2.4, so >> e.g. HttpProtocolOptions doesn't inherit from global to vhost configs in >> 2.2.32. :( >> >> Index: server/core.c >> =================================================================== >> --- server/core.c (revision 1783354) >> +++ server/core.c (working copy) >> @@ -546,15 +546,19 @@ >> ? virt->merge_trailers >> : base->merge_trailers; >> >> - if (virt->http09_enable != AP_HTTP09_UNSET) >> - conf->http09_enable = virt->http09_enable; >> + if (conf->http09_enable == AP_HTTP09_UNSET) >> + conf->http09_enable = base->http09_enable; >> >> - if (virt->http_conformance != AP_HTTP_CONFORMANCE_UNSET) >> - conf->http_conformance = virt->http_conformance; >> + if (conf->http_conformance == AP_HTTP_CONFORMANCE_UNSET) >> + conf->http_conformance = base->http_conformance; >> >> - if (virt->http_methods != AP_HTTP_METHODS_UNSET) >> - conf->http_methods = virt->http_methods; >> + if (conf->http_methods == AP_HTTP_METHODS_UNSET) >> + conf->http_methods = base->http_methods; >> >> + /* N.B. If you backport things here from 2.4, note that the >> + * merging logic needs to be inverted, since conf is initially a >> + * copy of vertv not basev. */ >> + >> return conf; >> } >> >>
-- Eric Covener [email protected]
