source: branches/fc19-dev/server/common/patches/httpd-mod_status-security.patch @ 2439

Last change on this file since 2439 was 2439, checked in by achernya, 11 years ago
Fix mod_status-security to actually work Upstream changed the semantics of this module, and the initial rebase mistakenly included too much upstream code.
File size: 2.7 KB
RevLine 
[2439]1From 6fc43320aab74560a5aad10f6602309f9de9b762 Mon Sep 17 00:00:00 2001
[2422]2From: Alexander Chernyakhovsky <achernya@mit.edu>
3Date: Fri, 3 May 2013 21:39:17 -0400
4Subject: [PATCH 2/4] Prevent mod_status from taking effect in .htaccess files
5
6Introduce a directive to the Apache configuration that is only
7permitted in a directory context, called "PermitStatusHandler", to
8prevent users from enabling mod_status from their .htaccess files.
9
10Signed-off-by: Quentin Smith <quentin@mit.edu>
11Signed-off-by: Geoffrey Thomas <geofft@mit.edu>
12---
[2439]13 modules/generators/mod_status.c |   33 +++++++++++++++++++++++++++++----
14 1 file changed, 29 insertions(+), 4 deletions(-)
[2422]15
16diff --git a/modules/generators/mod_status.c b/modules/generators/mod_status.c
[2439]17index 0237f1d..5a9ea7b 100644
[2422]18--- a/modules/generators/mod_status.c
19+++ b/modules/generators/mod_status.c
[2439]20@@ -103,6 +103,27 @@ APR_IMPLEMENT_OPTIONAL_HOOK_RUN_ALL(ap, STATUS, int, status_hook,
[2422]21 static pid_t child_pid;
22 #endif
23 
24+typedef struct {
25+  int permit_status_handler;
26+} status_config_rec;
27+
28+static void *create_status_dir_config(apr_pool_t *p, char *d)
29+{
30+  status_config_rec *conf = apr_pcalloc(p, sizeof(*conf));
31+  conf->permit_status_handler = 0;
32+  return conf;
33+}
34+
35+static const command_rec status_module_cmds[] =
36+{
37+    AP_INIT_FLAG("PermitStatusHandler", ap_set_flag_slot,
38+                (void *)APR_OFFSETOF(status_config_rec, permit_status_handler),
39+                ACCESS_CONF,
40+      "As a security measure, only permit status handlers where this flag "
41+      "is set. Only legal in directory context, not .htaccess."),
42+    {NULL}
43+};
44+
45 /* Format the number of bytes nicely */
46 static void format_byte_out(request_rec *r, apr_off_t bytes)
47 {
[2439]48@@ -207,8 +228,12 @@ static int status_handler(request_rec *r)
[2422]49     int times_per_thread;
50 #endif
51 
52-    if (strcmp(r->handler, STATUS_MAGIC_TYPE) && strcmp(r->handler,
53-            "server-status")) {
54+    status_config_rec *conf = ap_get_module_config(r->per_dir_config,
55+                                                  &status_module);
56+
57+    if ((strcmp(r->handler, STATUS_MAGIC_TYPE) &&
58+         strcmp(r->handler, "server-status")) ||
59+       !conf->permit_status_handler) {
60         return DECLINED;
61     }
62 
[2439]63@@ -974,11 +999,11 @@ static void register_hooks(apr_pool_t *p)
[2422]64 AP_DECLARE_MODULE(status) =
65 {
66     STANDARD20_MODULE_STUFF,
67-    NULL,                       /* dir config creater */
68+    create_status_dir_config,   /* dir config creater */
69     NULL,                       /* dir merger --- default is to override */
70     NULL,                       /* server config */
71     NULL,                       /* merge server config */
[2439]72-    NULL,                       /* command table */
73+    status_module_cmds,         /* command table */
74     register_hooks              /* register_hooks */
75 };
76 
[2422]77--
781.7.9.6 (Apple Git-31.1)
79
Note: See TracBrowser for help on using the repository browser.