*) SECURITY: CVE-2011-3348 (cve.mitre.org)
mod_proxy_ajp: Respond with HTTP_NOT_IMPLEMENTED when the method is not
recognized. [Jean-Frederic Clere]
http://svn.apache.org/viewvc?view=revision&sortby=date&revision=1167158
--- modules/proxy/mod_proxy_ajp.c 2011/09/09 13:30:49 1167157
+++ modules/proxy/mod_proxy_ajp.c 2011/09/09 13:31:06 1167158
@@ -214,7 +214,9 @@
conn->worker->hostname);
if (status == AJP_EOVERFLOW)
return HTTP_BAD_REQUEST;
- else {
+ else if (status == AJP_EBAD_METHOD) {
+ return HTTP_NOT_IMPLEMENTED;
+ } else {
/*
* This is only non fatal when the method is idempotent. In this
* case we can dare to retry it with a different worker if we are