Thanks Eric, Please ignore my previous message. http://svn.apache.org/viewvc?view=revision&revision=1783440
Porting from above, httpprotocoloptions works as expected. Thanks, Rashmi On Wed, Jun 14, 2017 at 9:25 AM, Rashmi Srinivasan < rashmisrinivasan2...@gmail.com> wrote: > Thanks for your response Eric. > Porting the changes from http://svn.apache.org/vie > wvc?view=revision&revision=1783440 also didn't help. > > However making a single change as bellow, got the Unsafe option to work. > > conf = (core_server_config *)apr_pmemdup(p, virt, sizeof(core_server_config)); > > to > > conf = (core_server_config *)apr_pmemdup(p, base, sizeof(core_server_config)); > > Also, when both the changes exist, the Unsafe option doesn't seem to work > > > IS this change valid? Should we commit this to 2.2? or is Unsafe option > suppose to report with a "BAD Request" response. > > Please advise. > > > regards, > Rashmi > > > > > > On Tue, Jun 13, 2017 at 11:56 PM, Eric Covener <cove...@gmail.com> wrote: > >> http://svn.apache.org/viewvc?view=revision&revision=1783440 >> >> >> On Tue, Jun 13, 2017 at 2:19 PM, Rashmi Srinivasan >> <rashmisrinivasan2...@gmail.com> wrote: >> > Hi Yann/Eric. >> > - We have ported the changes for CVE -2016-8743. into apache 2.2 >> on >> > HP-UX >> > But while testing we find that HTTPProtocolOption Unsafe >> tested >> > with GET /HTTP 1.0/\n\n responds with BAD Request, when it is suppose to >> > succeed. >> > >> > However after making changes as mentioned in >> > https://bz.apache.org/bugzilla/show_bug.cgi?id=60704, Unsafe >> > option responds with a success. >> > >> > Is the below change valid for 2.2? >> > >> > in 2.2.32: >> > static void *merge_core_server_configs(apr_pool_t *p, void *basev, void >> > *virtv) >> > { >> > core_server_config *base = (core_server_config *)basev; >> > core_server_config *virt = (core_server_config *)virtv; >> > core_server_config *conf; >> > >> > conf = (core_server_config *)apr_pmemdup(p, base, >> > sizeof(core_server_config)); >> > >> > in 2.4.25: >> > static void *merge_core_server_configs(apr_pool_t *p, void *basev, void >> > *virtv) >> > { >> > core_server_config *base = (core_server_config *)basev; >> > core_server_config *virt = (core_server_config *)virtv; >> > core_server_config *conf = (core_server_config *) >> > apr_pmemdup(p, base, >> > sizeof(core_server_config)); >> > >> > >> > Please advise. >> > >> > Thanks >> > Rashmi >> >> >> >> -- >> Eric Covener >> cove...@gmail.com >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org >> For additional commands, e-mail: users-h...@httpd.apache.org >> >> >
