[795] | 1 | Prevents mod_status from taking effect in .htaccess files, by requiring |
---|
| 2 | a directive that's only permitted in directory context. |
---|
| 3 | |
---|
| 4 | Signed-off-by: Quentin Smith <quentin@mit.edu> |
---|
| 5 | Signed-off-by: Geoffrey Thomas <geofft@mit.edu> |
---|
| 6 | --- a/modules/generators/mod_status.c 2008-01-02 04:43:52.000000000 -0500 |
---|
| 7 | +++ b/modules/generators/mod_status.c 2008-08-06 01:31:26.000000000 -0400 |
---|
| 8 | @@ -115,6 +115,10 @@ |
---|
| 9 | static pid_t child_pid; |
---|
| 10 | #endif |
---|
| 11 | |
---|
| 12 | +typedef struct { |
---|
| 13 | + int permit_status_handler; |
---|
| 14 | +} status_config_rec; |
---|
| 15 | + |
---|
| 16 | /* |
---|
| 17 | * command-related code. This is here to prevent use of ExtendedStatus |
---|
| 18 | * without status_module included. |
---|
| 19 | @@ -139,6 +143,13 @@ |
---|
| 20 | return NULL; |
---|
| 21 | } |
---|
| 22 | |
---|
| 23 | +static void *create_status_dir_config(apr_pool_t *p, char *d) |
---|
| 24 | +{ |
---|
| 25 | + status_config_rec *conf = apr_pcalloc(p, sizeof(*conf)); |
---|
| 26 | + conf->permit_status_handler = 0; |
---|
| 27 | + return conf; |
---|
| 28 | +} |
---|
| 29 | + |
---|
| 30 | |
---|
| 31 | static const command_rec status_module_cmds[] = |
---|
| 32 | { |
---|
| 33 | @@ -147,6 +158,11 @@ |
---|
| 34 | AP_INIT_FLAG("SeeRequestTail", set_reqtail, NULL, RSRC_CONF, |
---|
| 35 | "For verbose requests, \"On\" to see the last 63 chars of the request, " |
---|
| 36 | "\"Off\" (default) to see the first 63 in extended status display"), |
---|
| 37 | + AP_INIT_FLAG("PermitStatusHandler", ap_set_flag_slot, |
---|
| 38 | + (void *)APR_OFFSETOF(status_config_rec, permit_status_handler), |
---|
| 39 | + ACCESS_CONF, |
---|
| 40 | + "As a security measure, only permit status handlers where this flag " |
---|
| 41 | + "is set. Only legal in directory context, not .htaccess."), |
---|
| 42 | {NULL} |
---|
| 43 | }; |
---|
| 44 | |
---|
| 45 | @@ -247,9 +263,13 @@ |
---|
| 46 | pid_t *pid_buffer, worker_pid; |
---|
| 47 | clock_t tu, ts, tcu, tcs; |
---|
| 48 | ap_generation_t worker_generation; |
---|
| 49 | - |
---|
| 50 | - if (strcmp(r->handler, STATUS_MAGIC_TYPE) && |
---|
| 51 | - strcmp(r->handler, "server-status")) { |
---|
| 52 | + |
---|
| 53 | + status_config_rec *conf = ap_get_module_config(r->per_dir_config, |
---|
| 54 | + &status_module); |
---|
| 55 | + |
---|
| 56 | + if ((strcmp(r->handler, STATUS_MAGIC_TYPE) && |
---|
| 57 | + strcmp(r->handler, "server-status")) || |
---|
| 58 | + !conf->permit_status_handler) { |
---|
| 59 | return DECLINED; |
---|
| 60 | } |
---|
| 61 | |
---|
| 62 | @@ -871,7 +891,7 @@ |
---|
| 63 | module AP_MODULE_DECLARE_DATA status_module = |
---|
| 64 | { |
---|
| 65 | STANDARD20_MODULE_STUFF, |
---|
| 66 | - NULL, /* dir config creater */ |
---|
| 67 | + create_status_dir_config, /* dir config creater */ |
---|
| 68 | NULL, /* dir merger --- default is to override */ |
---|
| 69 | NULL, /* server config */ |
---|
| 70 | NULL, /* merge server config */ |
---|