Description: fix for CVE-2020-1927
Author: covener
Origin: upstream, https://svn.apache.org/r1873905
 https://svn.apache.org/r1874191
Bug: https://security-tracker.debian.org/tracker/CVE-2020-1927
Forwarded: not-needed
Reviewed-By: Xavier Guimard <yadd@debian.org>
Last-Update: 2020-08-25

--- a/include/ap_regex.h
+++ b/include/ap_regex.h
@@ -84,7 +84,11 @@
 
 #define AP_REG_DOLLAR_ENDONLY 0x200 /* '$' matches at end of subject string only */
 
-#define AP_REG_MATCH "MATCH_" /** suggested prefix for ap_regname */
+#define AP_REG_NO_DEFAULT 0x400 /**< Don't implicitely add AP_REG_DEFAULT options */
+
+#define AP_REG_MATCH "MATCH_" /**< suggested prefix for ap_regname */
+
+#define AP_REG_DEFAULT (AP_REG_DOTALL|AP_REG_DOLLAR_ENDONLY)
 
 /* Error values: */
 enum {
--- a/modules/filters/mod_substitute.c
+++ b/modules/filters/mod_substitute.c
@@ -667,8 +667,10 @@
 
     /* first see if we can compile the regex */
     if (!is_pattern) {
-        r = ap_pregcomp(cmd->pool, from, AP_REG_EXTENDED |
-                        (ignore_case ? AP_REG_ICASE : 0));
+         int flags = AP_REG_NO_DEFAULT
+                    | (ap_regcomp_get_default_cflags() & AP_REG_DOLLAR_ENDONLY)
+                    | (ignore_case ? AP_REG_ICASE : 0);
+        r = ap_pregcomp(cmd->pool, from, flags);
         if (!r)
             return "Substitute could not compile regex";
     }
--- a/server/core.c
+++ b/server/core.c
@@ -4937,7 +4937,7 @@
     apr_pool_cleanup_register(pconf, NULL, reset_config_defines,
                               apr_pool_cleanup_null);
 
-    ap_regcomp_set_default_cflags(AP_REG_DOLLAR_ENDONLY);
+    ap_regcomp_set_default_cflags(AP_REG_DEFAULT);
 
     mpm_common_pre_config(pconf);
 
--- a/server/util_pcre.c
+++ b/server/util_pcre.c
@@ -120,8 +120,7 @@
  *            Compile a regular expression       *
  *************************************************/
 
-static int default_cflags = AP_REG_DOTALL |
-                            AP_REG_DOLLAR_ENDONLY;
+static int default_cflags = AP_REG_DEFAULT;
 
 AP_DECLARE(int) ap_regcomp_get_default_cflags(void)
 {
@@ -169,7 +168,9 @@
     int errcode = 0;
     int options = PCRE_DUPNAMES;
 
-    cflags |= default_cflags;
+    if ((cflags & AP_REG_NO_DEFAULT) == 0)
+        cflags |= default_cflags;
+
     if ((cflags & AP_REG_ICASE) != 0)
         options |= PCRE_CASELESS;
     if ((cflags & AP_REG_NEWLINE) != 0)
--- a/server/util_regex.c
+++ b/server/util_regex.c
@@ -94,6 +94,7 @@
     }
 
     /* anything after the current delimiter is flags */
+    ret->flags = ap_regcomp_get_default_cflags() & AP_REG_DOLLAR_ENDONLY;
     while (*++endp) {
         switch (*endp) {
         case 'i': ret->flags |= AP_REG_ICASE; break;
@@ -106,7 +107,7 @@
         default: break; /* we should probably be stricter here */
         }
     }
-    if (ap_regcomp(&ret->rx, rxstr, ret->flags) == 0) {
+    if (ap_regcomp(&ret->rx, rxstr, AP_REG_NO_DEFAULT | ret->flags) == 0) {
         apr_pool_cleanup_register(pool, &ret->rx, rxplus_cleanup,
                                   apr_pool_cleanup_null);
     }