source: branches/fc19-dev/server/common/patches/httpd-mod_status-security.patch @ 2439

Last change on this file since 2439 was 2439, checked in by achernya, 11 years ago
Fix mod_status-security to actually work Upstream changed the semantics of this module, and the initial rebase mistakenly included too much upstream code.
File size: 2.7 KB
  • modules/generators/mod_status.c

    From 6fc43320aab74560a5aad10f6602309f9de9b762 Mon Sep 17 00:00:00 2001
    From: Alexander Chernyakhovsky <achernya@mit.edu>
    Date: Fri, 3 May 2013 21:39:17 -0400
    Subject: [PATCH 2/4] Prevent mod_status from taking effect in .htaccess files
    
    Introduce a directive to the Apache configuration that is only
    permitted in a directory context, called "PermitStatusHandler", to
    prevent users from enabling mod_status from their .htaccess files.
    
    Signed-off-by: Quentin Smith <quentin@mit.edu>
    Signed-off-by: Geoffrey Thomas <geofft@mit.edu>
    ---
     modules/generators/mod_status.c |   33 +++++++++++++++++++++++++++++----
     1 file changed, 29 insertions(+), 4 deletions(-)
    
    diff --git a/modules/generators/mod_status.c b/modules/generators/mod_status.c
    index 0237f1d..5a9ea7b 100644
    a b APR_IMPLEMENT_OPTIONAL_HOOK_RUN_ALL(ap, STATUS, int, status_hook, 
    103103static pid_t child_pid;
    104104#endif
    105105
     106typedef struct {
     107  int permit_status_handler;
     108} status_config_rec;
     109
     110static void *create_status_dir_config(apr_pool_t *p, char *d)
     111{
     112  status_config_rec *conf = apr_pcalloc(p, sizeof(*conf));
     113  conf->permit_status_handler = 0;
     114  return conf;
     115}
     116
     117static const command_rec status_module_cmds[] =
     118{
     119    AP_INIT_FLAG("PermitStatusHandler", ap_set_flag_slot,
     120                 (void *)APR_OFFSETOF(status_config_rec, permit_status_handler),
     121                 ACCESS_CONF,
     122      "As a security measure, only permit status handlers where this flag "
     123      "is set. Only legal in directory context, not .htaccess."),
     124    {NULL}
     125};
     126
    106127/* Format the number of bytes nicely */
    107128static void format_byte_out(request_rec *r, apr_off_t bytes)
    108129{
    static int status_handler(request_rec *r) 
    207228    int times_per_thread;
    208229#endif
    209230
    210     if (strcmp(r->handler, STATUS_MAGIC_TYPE) && strcmp(r->handler,
    211             "server-status")) {
     231    status_config_rec *conf = ap_get_module_config(r->per_dir_config,
     232                                                   &status_module);
     233
     234    if ((strcmp(r->handler, STATUS_MAGIC_TYPE) &&
     235         strcmp(r->handler, "server-status")) ||
     236        !conf->permit_status_handler) {
    212237        return DECLINED;
    213238    }
    214239
    static void register_hooks(apr_pool_t *p) 
    974999AP_DECLARE_MODULE(status) =
    9751000{
    9761001    STANDARD20_MODULE_STUFF,
    977     NULL,                       /* dir config creater */
     1002    create_status_dir_config,   /* dir config creater */
    9781003    NULL,                       /* dir merger --- default is to override */
    9791004    NULL,                       /* server config */
    9801005    NULL,                       /* merge server config */
    981     NULL,                       /* command table */
     1006    status_module_cmds,         /* command table */
    9821007    register_hooks              /* register_hooks */
    9831008};
    9841009
Note: See TracBrowser for help on using the repository browser.