# r1807754 (r1807655 from trunk) # # SECURITY (CVE-2017-9798) # # core: Disallow Methods' registration at run time (.htaccess), they may be # used only if registered at init time (httpd.conf). # # Calling ap_method_register() in children processes is not the right scope # since it won't be shared for all requests. # Index: server/core.c =================================================================== --- server/core.c (revision 1801041) +++ server/core.c (working copy) @@ -2262,6 +2262,12 @@ AP_CORE_DECLARE_NONSTD(const char *) ap_limit_sect /* method has not been registered yet, but resource restriction * is always checked before method handling, so register it. */ + if (cmd->pool == cmd->temp_pool) { + /* In .htaccess, we can't globally register new methods. */ + return apr_psprintf(cmd->pool, "Could not register method '%s' " + "for %s from .htaccess configuration", + method, cmd->cmd->name); + } methnum = ap_method_register(cmd->pool, apr_pstrdup(cmd->pool, method)); }