Understanding OptionsBleed

2017-09-20 Thread William A Rowe Jr
So as most people have correctly identified, this defect has existed for an incredibly long time. But how it is triggered and avoided would help us to correctly study unexpected behaviors. OPTIONS * - won't trigger the defect, .htaccess should not be examined. OPTIONS / - may trigger the

Re: SSLSrvConfigRec shared

2017-09-20 Thread Stefan Eissing
> Am 20.09.2017 um 12:33 schrieb Yann Ylavic : > > On Wed, Sep 20, 2017 at 12:09 PM, Stefan Eissing > wrote: >> >> Is there some better way? > > I would go with the usual/unconditional per server config (and hence > merging), trade

Re: SSLSrvConfigRec shared

2017-09-20 Thread Yann Ylavic
On Wed, Sep 20, 2017 at 12:09 PM, Stefan Eissing wrote: > > Is there some better way? I would go with the usual/unconditional per server config (and hence merging), trade simplicity vs a few memory space... Regards, Yann.

Re: AP_ENABLE_EXCEPTION_HOOK

2017-09-20 Thread Yann Ylavic
On Wed, Sep 20, 2017 at 10:51 AM, Stefan Eissing wrote: > Trying to tighten some compiler warnings and gcc complains: > > /opt/httpd/trunk/include/mpm_common.h:390:5: error: > "AP_ENABLE_EXCEPTION_HOOK" is not defined [-Werror=undef] > #if AP_ENABLE_EXCEPTION_HOOK

SSLSrvConfigRec shared

2017-09-20 Thread Stefan Eissing
mod_ssl's server_rec configurations (SSLSrvConfigRec) are shared between vhost and base server *iff* there are no SSL* directives used inside a VirtualHost. This is not really a good idea since mod_ssl modifies these recs in its post_config hook. This looks currently harmless, e.g. setting

AP_ENABLE_EXCEPTION_HOOK

2017-09-20 Thread Stefan Eissing
Trying to tighten some compiler warnings and gcc complains: /opt/httpd/trunk/include/mpm_common.h:390:5: error: "AP_ENABLE_EXCEPTION_HOOK" is not defined [-Werror=undef] #if AP_ENABLE_EXCEPTION_HOOK We seem to "#undef" this. Should the check in mpm_common.h not be #ifdef then?