summaryrefslogtreecommitdiffstats
path: root/patches/source/httpd/apache-2.2.CVE-2017-9798.optionsbleed.patch
diff options
context:
space:
mode:
Diffstat (limited to 'patches/source/httpd/apache-2.2.CVE-2017-9798.optionsbleed.patch')
-rw-r--r--patches/source/httpd/apache-2.2.CVE-2017-9798.optionsbleed.patch21
1 files changed, 21 insertions, 0 deletions
diff --git a/patches/source/httpd/apache-2.2.CVE-2017-9798.optionsbleed.patch b/patches/source/httpd/apache-2.2.CVE-2017-9798.optionsbleed.patch
new file mode 100644
index 000000000..4c3ebaabc
--- /dev/null
+++ b/patches/source/httpd/apache-2.2.CVE-2017-9798.optionsbleed.patch
@@ -0,0 +1,21 @@
+CVE-2017-9798
+
+Backport from https://svn.apache.org/viewvc?view=revision&revision=1807655
+
+diff --git a/server/core.c b/server/core.c
+index f61699e..d24542e 100644
+--- a/server/core.c
++++ b/server/core.c
+@@ -1809,6 +1809,12 @@ AP_CORE_DECLARE_NONSTD(const char *) ap_limit_section(cmd_parms *cmd,
+ /* method has not been registered yet, but resorce restriction
+ * is always checked before method handling, so register it.
+ */
++ if (cmd->pool == cmd->temp_pool) {
++ /* In .htaccess, we can't globally register new methods. */
++ return apr_psprintf(cmd->pool, "Could not register method '%s' "
++ "for %s from .htaccess configuration",
++ method, cmd->cmd->name);
++ }
+ methnum = ap_method_register(cmd->pool, method);
+ }
+
generated by cgit v1.2.3 (git 2.26.2) at 2024-04-25 07:02:28 +0000