Prevents mod_status from taking effect in .htaccess files, by requiring
a directive that's only permitted in directory context.

Signed-off-by: Quentin Smith <quentin@mit.edu>
Signed-off-by: Geoffrey Thomas <geofft@mit.edu>
--- a/modules/generators/mod_status.c	2008-01-02 04:43:52.000000000 -0500
+++ b/modules/generators/mod_status.c	2008-08-06 01:31:26.000000000 -0400
@@ -115,6 +115,10 @@
 static pid_t child_pid;
 #endif
 
+typedef struct {
+  int permit_status_handler;
+} status_config_rec;
+
 /*
  * command-related code. This is here to prevent use of ExtendedStatus
  * without status_module included.
@@ -139,6 +143,13 @@
     return NULL;
 }
 
+static void *create_status_dir_config(apr_pool_t *p, char *d)
+{
+  status_config_rec *conf = apr_pcalloc(p, sizeof(*conf));
+  conf->permit_status_handler = 0;
+  return conf;
+}
+
 
 static const command_rec status_module_cmds[] =
 {
@@ -147,6 +158,11 @@
     AP_INIT_FLAG("SeeRequestTail", set_reqtail, NULL, RSRC_CONF,
       "For verbose requests, \"On\" to see the last 63 chars of the request, "
       "\"Off\" (default) to see the first 63 in extended status display"),
+    AP_INIT_FLAG("PermitStatusHandler", ap_set_flag_slot,
+		 (void *)APR_OFFSETOF(status_config_rec, permit_status_handler),
+		 ACCESS_CONF,
+      "As a security measure, only permit status handlers where this flag "
+      "is set. Only legal in directory context, not .htaccess."),
     {NULL}
 };
 
@@ -247,9 +263,13 @@
     pid_t *pid_buffer, worker_pid;
     clock_t tu, ts, tcu, tcs;
     ap_generation_t worker_generation;
-
-    if (strcmp(r->handler, STATUS_MAGIC_TYPE) &&
-        strcmp(r->handler, "server-status")) {
+    
+    status_config_rec *conf = ap_get_module_config(r->per_dir_config,
+                                                      &status_module);
+
+    if ((strcmp(r->handler, STATUS_MAGIC_TYPE) &&
+         strcmp(r->handler, "server-status")) ||
+	!conf->permit_status_handler) {
         return DECLINED;
     }
 
@@ -871,7 +891,7 @@
 module AP_MODULE_DECLARE_DATA status_module =
 {
     STANDARD20_MODULE_STUFF,
-    NULL,                       /* dir config creater */
+    create_status_dir_config,   /* dir config creater */
     NULL,                       /* dir merger --- default is to override */
     NULL,                       /* server config */
     NULL,                       /* merge server config */