Index: /server/common/patches/httpd-2.2.x-mod_status-security.patch =================================================================== --- /server/common/patches/httpd-2.2.x-mod_status-security.patch (revision 795) +++ /server/common/patches/httpd-2.2.x-mod_status-security.patch (revision 795) @@ -0,0 +1,70 @@ +Prevents mod_status from taking effect in .htaccess files, by requiring +a directive that's only permitted in directory context. + +Signed-off-by: Quentin Smith +Signed-off-by: Geoffrey Thomas +--- a/modules/generators/mod_status.c 2008-01-02 04:43:52.000000000 -0500 ++++ b/modules/generators/mod_status.c 2008-08-06 01:31:26.000000000 -0400 +@@ -115,6 +115,10 @@ + static pid_t child_pid; + #endif + ++typedef struct { ++ int permit_status_handler; ++} status_config_rec; ++ + /* + * command-related code. This is here to prevent use of ExtendedStatus + * without status_module included. +@@ -139,6 +143,13 @@ + return NULL; + } + ++static void *create_status_dir_config(apr_pool_t *p, char *d) ++{ ++ status_config_rec *conf = apr_pcalloc(p, sizeof(*conf)); ++ conf->permit_status_handler = 0; ++ return conf; ++} ++ + + static const command_rec status_module_cmds[] = + { +@@ -147,6 +158,11 @@ + AP_INIT_FLAG("SeeRequestTail", set_reqtail, NULL, RSRC_CONF, + "For verbose requests, \"On\" to see the last 63 chars of the request, " + "\"Off\" (default) to see the first 63 in extended status display"), ++ AP_INIT_FLAG("PermitStatusHandler", ap_set_flag_slot, ++ (void *)APR_OFFSETOF(status_config_rec, permit_status_handler), ++ ACCESS_CONF, ++ "As a security measure, only permit status handlers where this flag " ++ "is set. Only legal in directory context, not .htaccess."), + {NULL} + }; + +@@ -247,9 +263,13 @@ + pid_t *pid_buffer, worker_pid; + clock_t tu, ts, tcu, tcs; + ap_generation_t worker_generation; +- +- if (strcmp(r->handler, STATUS_MAGIC_TYPE) && +- strcmp(r->handler, "server-status")) { ++ ++ status_config_rec *conf = ap_get_module_config(r->per_dir_config, ++ &status_module); ++ ++ if ((strcmp(r->handler, STATUS_MAGIC_TYPE) && ++ strcmp(r->handler, "server-status")) || ++ !conf->permit_status_handler) { + return DECLINED; + } + +@@ -871,7 +891,7 @@ + module AP_MODULE_DECLARE_DATA status_module = + { + STANDARD20_MODULE_STUFF, +- NULL, /* dir config creater */ ++ create_status_dir_config, /* dir config creater */ + NULL, /* dir merger --- default is to override */ + NULL, /* server config */ + NULL, /* merge server config */ Index: /server/fedora/specs/httpd.spec.patch =================================================================== --- /server/fedora/specs/httpd.spec.patch (revision 794) +++ /server/fedora/specs/httpd.spec.patch (revision 795) @@ -1,5 +1,5 @@ --- httpd.spec.orig 2008-02-19 02:05:36.000000000 -0500 +++ httpd.spec 2008-05-20 19:39:59.000000000 -0400 -@@ -54,6 +54,10 @@ +@@ -54,6 +54,11 @@ Conflicts: pcre < 4.0 Requires: httpd-tools = %{version}-%{release} @@ -8,9 +8,10 @@ +Patch1001: httpd-2.2.8-sni.patch +Patch1002: httpd-2.2.x-broken-ldap-caching.patch ++Patch1003: httpd-2.2.x-mod_status-security.patch + %description The Apache HTTP Server is a powerful, efficient, and extensible web server. -@@ -127,6 +131,10 @@ +@@ -127,6 +132,11 @@ # Patch in vendor/release string sed "s/@RELEASE@/%{vstring}/" < %{PATCH20} | patch -p1 @@ -19,9 +20,10 @@ +%patch1001 -p1 -b .sni +%patch1002 -p1 -b .broken-ldap ++%patch1003 -p1 -b .permitstatus + # Safety check: prevent build if defined MMN does not equal upstream MMN. vmmn=`echo MODULE_MAGIC_NUMBER_MAJOR | cpp -include include/ap_mmn.h | sed -n '/^2/p'` if test "x${vmmn}" != "x%{mmn}"; then -@@ -175,10 +183,11 @@ +@@ -175,10 +184,11 @@ --with-apr=%{_prefix} --with-apr-util=%{_prefix} \ --enable-suexec --with-suexec \