httpd/httpd-2.4.27-CVE-2017-9798.patch
Jeroen van Meeuwen (Ergo Project) fd03d5ee37 Address CVE-2017-9798 by applying upstream patch
Reference RHBZ #1490344
2017-09-21 19:32:53 +02:00

16 lines
835 B
Diff

--- httpd/httpd/branches/2.4.x/server/core.c 2017/08/16 16:50:29 1805223
+++ httpd/httpd/branches/2.4.x/server/core.c 2017/09/08 13:13:11 1807754
@@ -2266,6 +2266,12 @@
/* method has not been registered yet, but resource restriction
* is always checked before method handling, so register it.
*/
+ if (cmd->pool == cmd->temp_pool) {
+ /* In .htaccess, we can't globally register new methods. */
+ return apr_psprintf(cmd->pool, "Could not register method '%s' "
+ "for %s from .htaccess configuration",
+ method, cmd->cmd->name);
+ }
methnum = ap_method_register(cmd->pool,
apr_pstrdup(cmd->pool, method));
}