summaryrefslogtreecommitdiffstats
path: root/debian/perl-framework/t/security
diff options
context:
space:
mode:
Diffstat (limited to '')
-rw-r--r--debian/perl-framework/t/security/CVE-2003-0542.t15
-rw-r--r--debian/perl-framework/t/security/CVE-2004-0747.t34
-rw-r--r--debian/perl-framework/t/security/CVE-2004-0811.t21
-rw-r--r--debian/perl-framework/t/security/CVE-2004-0940.t12
-rw-r--r--debian/perl-framework/t/security/CVE-2004-0942.t36
-rw-r--r--debian/perl-framework/t/security/CVE-2004-0958.t37
-rw-r--r--debian/perl-framework/t/security/CVE-2004-0959.t56
-rw-r--r--debian/perl-framework/t/security/CVE-2005-2491.t21
-rw-r--r--debian/perl-framework/t/security/CVE-2005-2700.t25
-rw-r--r--debian/perl-framework/t/security/CVE-2005-3352.t23
-rw-r--r--debian/perl-framework/t/security/CVE-2005-3357.t51
-rw-r--r--debian/perl-framework/t/security/CVE-2006-5752.t16
-rw-r--r--debian/perl-framework/t/security/CVE-2007-5000.t18
-rw-r--r--debian/perl-framework/t/security/CVE-2007-6388.t18
-rw-r--r--debian/perl-framework/t/security/CVE-2008-2364.t36
-rw-r--r--debian/perl-framework/t/security/CVE-2009-1195.t1120
-rw-r--r--debian/perl-framework/t/security/CVE-2009-1890.t65
-rw-r--r--debian/perl-framework/t/security/CVE-2009-3555.t67
-rw-r--r--debian/perl-framework/t/security/CVE-2011-3368-rewrite.t23
-rw-r--r--debian/perl-framework/t/security/CVE-2011-3368.t23
-rw-r--r--debian/perl-framework/t/security/CVE-2017-7659.t28
-rw-r--r--debian/perl-framework/t/security/CVE-2019-0215.t47
-rw-r--r--debian/perl-framework/t/security/CVE-2020-1927.t60
23 files changed, 1852 insertions, 0 deletions
diff --git a/debian/perl-framework/t/security/CVE-2003-0542.t b/debian/perl-framework/t/security/CVE-2003-0542.t
new file mode 100644
index 0000000..20497d8
--- /dev/null
+++ b/debian/perl-framework/t/security/CVE-2003-0542.t
@@ -0,0 +1,15 @@
+use strict;
+use warnings FATAL => 'all';
+
+use Apache::Test;
+use Apache::TestUtil;
+use Apache::TestRequest;
+
+plan tests => 1, need 'rewrite';
+
+my $rc;
+
+$rc = GET_RC "/security/CAN-2003-0542/nonesuch";
+
+ok t_cmp($rc, 404, "CAN-2003-0542 test case");
+
diff --git a/debian/perl-framework/t/security/CVE-2004-0747.t b/debian/perl-framework/t/security/CVE-2004-0747.t
new file mode 100644
index 0000000..414a844
--- /dev/null
+++ b/debian/perl-framework/t/security/CVE-2004-0747.t
@@ -0,0 +1,34 @@
+use strict;
+use warnings FATAL => 'all';
+
+use Apache::Test;
+use Apache::TestUtil;
+use Apache::TestRequest;
+
+plan tests => 1, need_apache(2);
+
+my $rc;
+
+$rc = GET_RC "/security/CAN-2004-0747/";
+
+# This test used to check for SegFaults when expanding variables
+# inside a .htaccess file.
+# Only, the code trying to parse the generated AuthName will
+# fail with a 500 when the string exceeds a certain length (at least on OS X)
+#
+# So, in case of a 500 return, we check for a proper body and assume
+# that the failure was graceful and not a crash.
+#
+# The alternative would be to expand a env var under our control in .htacess
+# for this test, so that the outcome is not depending on the env of the person
+# starting the test.
+#
+if ($rc == 500) {
+ my $body = GET_BODY "/security/CAN-2004-0747/";
+ if (length $body > 0) {
+ $rc = 200;
+ }
+}
+
+ok t_cmp($rc, 200, "CAN-2004-0747 ap_resolve_env test case");
+
diff --git a/debian/perl-framework/t/security/CVE-2004-0811.t b/debian/perl-framework/t/security/CVE-2004-0811.t
new file mode 100644
index 0000000..c0c7661
--- /dev/null
+++ b/debian/perl-framework/t/security/CVE-2004-0811.t
@@ -0,0 +1,21 @@
+use strict;
+use warnings FATAL => 'all';
+
+use Apache::Test;
+use Apache::TestUtil;
+use Apache::TestRequest;
+
+plan tests => 8, need_apache(2);
+
+my $rc;
+
+foreach my $y (1..4) {
+ $rc = GET_RC("/security/CAN-2004-0811/sub/");
+ ok t_cmp($rc, 200, "subdir access allowed");
+}
+
+foreach my $z (1..4) {
+ $rc = GET_RC("/security/CAN-2004-0811/");
+ ok t_cmp($rc, 401, "topdir access denied");
+}
+
diff --git a/debian/perl-framework/t/security/CVE-2004-0940.t b/debian/perl-framework/t/security/CVE-2004-0940.t
new file mode 100644
index 0000000..740b3f3
--- /dev/null
+++ b/debian/perl-framework/t/security/CVE-2004-0940.t
@@ -0,0 +1,12 @@
+use strict;
+use warnings FATAL => 'all';
+
+use Apache::Test;
+use Apache::TestUtil;
+use Apache::TestRequest;
+
+plan tests => 1, need_module 'include';
+
+# 1.3.32 and earlier will segfault
+ok t_cmp(GET_RC("/security/CAN-2004-0940.shtml"),
+ 200, 'response was 200');
diff --git a/debian/perl-framework/t/security/CVE-2004-0942.t b/debian/perl-framework/t/security/CVE-2004-0942.t
new file mode 100644
index 0000000..9810480
--- /dev/null
+++ b/debian/perl-framework/t/security/CVE-2004-0942.t
@@ -0,0 +1,36 @@
+use strict;
+use warnings FATAL => 'all';
+
+use Apache::Test;
+use Apache::TestUtil;
+use Apache::TestRequest;
+
+$SIG{PIPE} = 'IGNORE';
+
+plan tests => 2, need_min_apache_version('2.0');
+
+my $sock = Apache::TestRequest::vhost_socket('default');
+ok $sock;
+
+# This is a test for CAN-2004-0942 albeit a pretty bad one:
+# CAN-2004-0942 is a memory leak in the <=2.0.52 logic for handling
+# whitespace in folded headers. This test tests that a folded header
+# which, including whitespace, exceeds the field length limit, gets a
+# 400 response. A better httpd implementation could handle such
+# headers without the memory leak, yet would fail this test.
+
+Apache::TestRequest::socket_trace($sock);
+
+$sock->print("GET /index.html HTTP/1.0\r\n");
+
+my $n = $sock->print("Hello:\r\n");
+foreach (1..100) {
+ $n = $sock->print(" "x500 . "\r\n") if $sock->connected;
+}
+
+$sock->print("\r\n") if $sock->connected;
+
+my $line = Apache::TestRequest::getline($sock) || '';
+
+ok t_cmp($line, qr{^HTTP/1\.. 400}, "request was refused");
+
diff --git a/debian/perl-framework/t/security/CVE-2004-0958.t b/debian/perl-framework/t/security/CVE-2004-0958.t
new file mode 100644
index 0000000..87e8d39
--- /dev/null
+++ b/debian/perl-framework/t/security/CVE-2004-0958.t
@@ -0,0 +1,37 @@
+use strict;
+use warnings FATAL => 'all';
+
+use Apache::Test;
+use Apache::TestUtil;
+use Apache::TestRequest;
+
+my %queries =
+(
+
+ "foo[bar=1" => qr/\[foo_bar\] => 1\n/,
+ "foo bar=2" => qr/\[foo_bar\] => 2\n/,
+ "foo. .bar=3" => qr/\[foo___bar\] => 3\n/,
+ "foobar[=3" => qr/\[foobar_\] => 3\n/,
+
+ "foo[g][=1" => qr/\[g\] => 1\n/, # corruption pre-5.0.2/4.3.9
+ "foo[][=2" => qr/\[0\] => 2\n/, # segfault in 5.0.2/4.3.9
+
+ "foo[][[[[[=3" => qr/\[0\] => 3\n/,
+ "foo[][][][][]=5" => qr/\[0\] => 5\n/,
+
+ "foo[j]bar=6" => qr/\[j\] => 6\n/,
+
+
+### tests which have dubious results currently:
+# "foo[[[[[[[h]=4" => qr/\[0\] => 4\n/,
+# "foo[ ]=7" => qr/\[baz\] => 7\n/,
+# "foo[ ]=7" => qr/\[baz\] => 7\n/,
+
+ );
+
+plan tests => (keys %queries) * 1, need_php;
+
+foreach (keys %queries) {
+ my $actual = GET_BODY "/security/CAN-2004-0958.php?".$_;
+ ok t_cmp($actual, $queries{$_}, "query for $_");
+}
diff --git a/debian/perl-framework/t/security/CVE-2004-0959.t b/debian/perl-framework/t/security/CVE-2004-0959.t
new file mode 100644
index 0000000..fb15e80
--- /dev/null
+++ b/debian/perl-framework/t/security/CVE-2004-0959.t
@@ -0,0 +1,56 @@
+use strict;
+use warnings FATAL => 'all';
+
+use Apache::Test;
+use Apache::TestUtil;
+use Apache::TestRequest;
+
+plan tests => 6, need 'LWP', { "PHP not installed", \&need_php };
+
+use HTTP::Message;
+
+my $url = Apache::TestRequest::resolve_url("/security/CAN-2004-0959.php");
+
+sub multipart
+{
+ my $name = shift;
+ my $filename = shift;
+ my $ctype = shift;
+ my $extra = shift;
+ my $req = HTTP::Request->new(POST => $url);
+
+ $req->header(Content_Type => 'multipart/form-data; boundary=XXXX');
+
+ $req->content("--XXXX\n".
+ "Content-Disposition: form-data; name=\"MAX_FILE_SIZE\"\n\n".
+ "30000\n".
+ "--XXXX\n".
+ "Content-Disposition: form-data; name=\"".$name."\"; filename=\"".$filename."\"\n".
+ "Content-Type: ".$ctype."\n\n".
+ "fish\n");
+
+ $req->add_content($extra) if $extra;
+
+ $req->add_content("--XXXX--\n");
+
+ Apache::TestRequest::user_agent->request($req);
+}
+
+my $resp = multipart("user_file", "fish.php", "text/plain");
+ok t_cmp($resp->code, 200, "POST request success");
+ok t_cmp($resp->content, "fish.php", "filename parsed safely");
+
+$resp = multipart("user_file", "../../fish.php", "text/plain");
+ok t_cmp($resp->code, 200, "POST request success");
+ok t_cmp($resp->content, "fish.php", "filename parsed safely");
+
+$resp = multipart
+ ("user[file[name]123", "good.php", "/tmp/passt.php",
+ "--XXXX\n".
+ "Content-Disposition: form-data; name=\"user[file[type]123\"; filename=\"vg\"\n".
+ "Content-Type: text/plain\n\n".
+ "fishfood\n");
+
+ok t_cmp($resp->code, 200, "POST request success");
+ok t_cmp($resp->content, "FAILED", "filename parsed safely");
+
diff --git a/debian/perl-framework/t/security/CVE-2005-2491.t b/debian/perl-framework/t/security/CVE-2005-2491.t
new file mode 100644
index 0000000..7085fb8
--- /dev/null
+++ b/debian/perl-framework/t/security/CVE-2005-2491.t
@@ -0,0 +1,21 @@
+use strict;
+use warnings FATAL => 'all';
+
+use Apache::Test;
+use Apache::TestUtil;
+use Apache::TestRequest;
+
+plan tests => 2 * 2, need 'rewrite';
+
+foreach my $dir ("one/", "two/") {
+ my $r = GET("/security/CAN-2005-2491/" . $dir);
+
+ # LWP will generate the annoying fake-500 response if the server
+ # segfaults before generating its own 500 response; check
+ # the response message explicitly to rule that out.
+
+ ok t_cmp($r->message, 'Internal Server Error',
+ 'check that server did not segfault');
+
+ ok t_cmp($r->code, 500, "check for 500 response error");
+}
diff --git a/debian/perl-framework/t/security/CVE-2005-2700.t b/debian/perl-framework/t/security/CVE-2005-2700.t
new file mode 100644
index 0000000..6af7fae
--- /dev/null
+++ b/debian/perl-framework/t/security/CVE-2005-2700.t
@@ -0,0 +1,25 @@
+use strict;
+use warnings FATAL => 'all';
+
+use Apache::Test;
+use Apache::TestUtil;
+use Apache::TestRequest;
+
+my $vars = Apache::Test::vars();
+
+plan tests => 2, need $vars->{ssl_module_name}, need_lwp,
+ qw(LWP::Protocol::https);
+
+Apache::TestRequest::user_agent_keepalive(0);
+Apache::TestRequest::scheme('https');
+Apache::TestRequest::module('ssl_optional_cc');
+
+my $r;
+
+$r = GET "/require/none/";
+
+ok t_cmp($r->code, 200, "access permitted without ccert");
+
+$r = GET "/require/any/";
+
+ok !t_cmp($r->code, 200, "access *not* permitted without ccert");
diff --git a/debian/perl-framework/t/security/CVE-2005-3352.t b/debian/perl-framework/t/security/CVE-2005-3352.t
new file mode 100644
index 0000000..b1881a9
--- /dev/null
+++ b/debian/perl-framework/t/security/CVE-2005-3352.t
@@ -0,0 +1,23 @@
+use strict;
+use warnings FATAL => 'all';
+
+use Apache::Test;
+use Apache::TestUtil;
+use Apache::TestRequest;
+
+my $vars = Apache::Test::vars();
+
+plan tests => 2, need_imagemap;
+
+my $url = "/security/CVE-2005-3352.map";
+
+my $r = GET $url, Referer => '">http://fish/';
+
+ok t_cmp($r->code, 200, "response code is OK");
+
+if ((!have_min_apache_version('2.3') && have_min_apache_version('2.2.24')) ||
+ have_min_apache_version('2.4.4')) {
+ ok t_cmp($r->content, qr/%22%3e/, "referer was escaped");
+} else {
+ ok t_cmp($r->content, qr/\&quot/, "referer was escaped");
+}
diff --git a/debian/perl-framework/t/security/CVE-2005-3357.t b/debian/perl-framework/t/security/CVE-2005-3357.t
new file mode 100644
index 0000000..0124796
--- /dev/null
+++ b/debian/perl-framework/t/security/CVE-2005-3357.t
@@ -0,0 +1,51 @@
+use strict;
+use warnings FATAL => 'all';
+
+# Test case for PR 33791.
+
+use Apache::Test;
+use Apache::TestUtil;
+use Apache::TestRequest;
+
+BEGIN {
+ # prevent TestRequest from croaking on an HTTP/0.9 response
+ $ENV{APACHE_TEST_HTTP_09_OK} = 1;
+}
+
+my $vars = Apache::Test::vars();
+
+plan tests => 3, need $vars->{ssl_module_name}, need_lwp,
+ qw(LWP::Protocol::https);
+
+Apache::TestRequest::user_agent_keepalive(0);
+
+my $config = Apache::Test::config();
+
+Apache::TestRequest::module("ssl_pr33791");
+
+my $hostport = Apache::TestRequest::hostport();
+
+my $rurl = "http://" . $hostport . "/";
+
+t_debug("URL is $rurl");
+
+my $r = GET($rurl);
+
+my $proto = $r->protocol;
+
+ok $proto;
+
+if (!$proto) {
+ skip "server gave no response";
+} else {
+ if ($proto eq "HTTP/0.9") {
+ skip "server gave HTTP/0.9 response";
+ } elsif ($proto) {
+ ok t_cmp($r->code,
+ 400,
+ "Expected bad request from 'GET $rurl'"
+ );
+ }
+}
+
+ok t_cmp($r->content, qr/welcome to localhost/, "errordoc content was served");
diff --git a/debian/perl-framework/t/security/CVE-2006-5752.t b/debian/perl-framework/t/security/CVE-2006-5752.t
new file mode 100644
index 0000000..911f59f
--- /dev/null
+++ b/debian/perl-framework/t/security/CVE-2006-5752.t
@@ -0,0 +1,16 @@
+use strict;
+use warnings FATAL => 'all';
+
+use Apache::Test;
+use Apache::TestUtil;
+use Apache::TestRequest;
+
+plan tests => 2, need_module 'status';
+
+my $r;
+
+$r = GET "/server-status";
+
+ok t_cmp($r->code, 200, "server-status gave response");
+
+ok t_cmp($r->header("Content-Type"), qr/charset=/, "response content-type had charset");
diff --git a/debian/perl-framework/t/security/CVE-2007-5000.t b/debian/perl-framework/t/security/CVE-2007-5000.t
new file mode 100644
index 0000000..8502378
--- /dev/null
+++ b/debian/perl-framework/t/security/CVE-2007-5000.t
@@ -0,0 +1,18 @@
+use strict;
+use warnings FATAL => 'all';
+
+use Apache::Test;
+use Apache::TestUtil;
+use Apache::TestRequest;
+
+my $vars = Apache::Test::vars();
+
+plan tests => 2, need_imagemap;
+
+my $url = '/security/CVE-2005-3352.map/<foo>';
+
+my $r = GET $url;
+
+ok t_cmp($r->code, 200, "response code is OK");
+
+ok !t_cmp($r->content, qr/<foo>/, "URI was escaped in response");
diff --git a/debian/perl-framework/t/security/CVE-2007-6388.t b/debian/perl-framework/t/security/CVE-2007-6388.t
new file mode 100644
index 0000000..70ebb7d
--- /dev/null
+++ b/debian/perl-framework/t/security/CVE-2007-6388.t
@@ -0,0 +1,18 @@
+use strict;
+use warnings FATAL => 'all';
+
+use Apache::Test;
+use Apache::TestUtil;
+use Apache::TestRequest;
+
+my $vars = Apache::Test::vars();
+
+plan tests => 2, need_module 'status';
+
+my $url = '/server-status?refresh=42;fish';
+
+my $r = GET $url;
+
+ok t_cmp($r->code, 200, "response code is OK");
+
+ok t_cmp($r->header('Refresh'), 42, "refresh parameter not echoed verbatim");
diff --git a/debian/perl-framework/t/security/CVE-2008-2364.t b/debian/perl-framework/t/security/CVE-2008-2364.t
new file mode 100644
index 0000000..46552ad
--- /dev/null
+++ b/debian/perl-framework/t/security/CVE-2008-2364.t
@@ -0,0 +1,36 @@
+use strict;
+use warnings FATAL => 'all';
+
+use Apache::Test;
+use Apache::TestRequest;
+use Apache::TestUtil;
+use Apache::TestConfig ();
+
+my $tests = 3;
+my $server_suppresses_interim = 1;
+if (!have_min_apache_version("2.4.10")) {
+ $tests = 1;
+ $server_suppresses_interim = 0;
+}
+
+plan tests => $tests, need_module 'proxy';
+
+Apache::TestRequest::module("proxy_http_reverse");
+Apache::TestRequest::user_agent(requests_redirectable => 0);
+
+my $r = GET("/reverse/");
+ok t_cmp($r->code, 200, "reverse proxy to index.html");
+if (have_cgi) {
+ if ($server_suppresses_interim) {
+ # XXX: This doesn't work in 2.2.x w/o at least r1588519 because LWP
+ # sees the unexpected interim response and stops.
+ $r = GET("/reverse/modules/cgi/nph-interim1.pl");
+ ok t_cmp($r->code, 200, "small number of interim responses - CVE-2008-2364");
+
+ $r = GET("/reverse/modules/cgi/nph-interim2.pl");
+ ok t_cmp($r->code, 502, "large number of interim responses - CVE-2008-2364");
+ }
+} else {
+ skip "skipping tests without CGI module" foreach (1..2);
+}
+
diff --git a/debian/perl-framework/t/security/CVE-2009-1195.t b/debian/perl-framework/t/security/CVE-2009-1195.t
new file mode 100644
index 0000000..70663c4
--- /dev/null
+++ b/debian/perl-framework/t/security/CVE-2009-1195.t
@@ -0,0 +1,1120 @@
+use strict;
+use warnings FATAL => 'all';
+
+use Apache::Test;
+use Apache::TestRequest;
+use Apache::TestUtil;
+
+
+plan tests => 221, need 'include', need_min_apache_version('2.2');
+
+Apache::TestRequest::module('mod_include'); #use this module's port
+
+my $r;
+my $body;
+
+### Test #1, context: Options None : AllowOverride Options=IncludesNoExec : Options +Includes
+
+$r = GET("/modules/include/ssi-exec/1/exec.shtml");
+ok t_cmp($r->code, 500, "Options should not be allowed for script #1; 500 response expected");
+
+### Test #2, context: Options None : AllowOverride Options=IncludesNoExec : Options +IncludesNoExec
+
+$r = GET("/modules/include/ssi-exec/2/exec.shtml");
+ok t_cmp($r->code, 200, "Options should be allowed for script #2; 200 response expected");
+
+$body = $r->content;
+chomp $body;
+
+ok t_cmp($body, '[an error occurred while processing this directive]', "SSI should be evaluated but exec not permitted for script #2");
+
+### Test #3, context: Options None : AllowOverride Options=IncludesNoExec : Options Includes
+
+$r = GET("/modules/include/ssi-exec/3/exec.shtml");
+ok t_cmp($r->code, 500, "Options should not be allowed for script #3; 500 response expected");
+
+### Test #4, context: Options None : AllowOverride Options=IncludesNoExec : Options IncludesNoExec
+
+$r = GET("/modules/include/ssi-exec/4/exec.shtml");
+ok t_cmp($r->code, 200, "Options should be allowed for script #4; 200 response expected");
+
+$body = $r->content;
+chomp $body;
+
+ok t_cmp($body, '[an error occurred while processing this directive]', "SSI should be evaluated but exec not permitted for script #4");
+
+### Test #5, context: Options None : AllowOverride Options=IncludesNoExec : Options -Includes
+
+$r = GET("/modules/include/ssi-exec/5/exec.shtml");
+ok t_cmp($r->code, 500, "Options should not be allowed for script #5; 500 response expected");
+
+### Test #6, context: Options None : AllowOverride Options=IncludesNoExec : Options -IncludesNoExec
+
+$r = GET("/modules/include/ssi-exec/6/exec.shtml");
+ok t_cmp($r->code, 200, "Options should be allowed for script #6; 200 response expected");
+
+$body = $r->content;
+chomp $body;
+
+ok t_cmp($body, qr/--\#exec cgi=/, "SSI should not be evaluated for script #6");
+
+### Test #7, context: Options None : AllowOverride Options=IncludesNoExec : Options -Includes +IncludesNoExec
+
+$r = GET("/modules/include/ssi-exec/7/exec.shtml");
+ok t_cmp($r->code, 500, "Options should not be allowed for script #7; 500 response expected");
+
+### Test #8, context: Options None : AllowOverride Options=IncludesNoExec : Options +Includes -IncludesNoExec
+
+$r = GET("/modules/include/ssi-exec/8/exec.shtml");
+ok t_cmp($r->code, 500, "Options should not be allowed for script #8; 500 response expected");
+
+### Test #9, context: Options None : AllowOverride Options=IncludesNoExec : Options -IncludesNoExec +Includes
+
+$r = GET("/modules/include/ssi-exec/9/exec.shtml");
+ok t_cmp($r->code, 500, "Options should not be allowed for script #9; 500 response expected");
+
+### Test #10, context: Options None : AllowOverride Options=IncludesNoExec : Options +IncludesNoExec -Includes
+
+$r = GET("/modules/include/ssi-exec/10/exec.shtml");
+ok t_cmp($r->code, 500, "Options should not be allowed for script #10; 500 response expected");
+
+### Test #11, context: Options None : AllowOverride Options=Includes : Options +Includes
+
+$r = GET("/modules/include/ssi-exec/11/exec.shtml");
+ok t_cmp($r->code, 200, "Options should be allowed for script #11; 200 response expected");
+
+$body = $r->content;
+chomp $body;
+
+ok t_cmp($body, 'perl cgi', "SSI should be evaluated with exec allowed for script #11");
+
+### Test #12, context: Options None : AllowOverride Options=Includes : Options +IncludesNoExec
+
+$r = GET("/modules/include/ssi-exec/12/exec.shtml");
+ok t_cmp($r->code, 200, "Options should be allowed for script #12; 200 response expected");
+
+$body = $r->content;
+chomp $body;
+
+ok t_cmp($body, '[an error occurred while processing this directive]', "SSI should be evaluated but exec not permitted for script #12");
+
+### Test #13, context: Options None : AllowOverride Options=Includes : Options Includes
+
+$r = GET("/modules/include/ssi-exec/13/exec.shtml");
+ok t_cmp($r->code, 200, "Options should be allowed for script #13; 200 response expected");
+
+$body = $r->content;
+chomp $body;
+
+ok t_cmp($body, 'perl cgi', "SSI should be evaluated with exec allowed for script #13");
+
+### Test #14, context: Options None : AllowOverride Options=Includes : Options IncludesNoExec
+
+$r = GET("/modules/include/ssi-exec/14/exec.shtml");
+ok t_cmp($r->code, 200, "Options should be allowed for script #14; 200 response expected");
+
+$body = $r->content;
+chomp $body;
+
+ok t_cmp($body, '[an error occurred while processing this directive]', "SSI should be evaluated but exec not permitted for script #14");
+
+### Test #15, context: Options None : AllowOverride Options=Includes : Options -Includes
+
+$r = GET("/modules/include/ssi-exec/15/exec.shtml");
+ok t_cmp($r->code, 200, "Options should be allowed for script #15; 200 response expected");
+
+$body = $r->content;
+chomp $body;
+
+ok t_cmp($body, qr/--\#exec cgi=/, "SSI should not be evaluated for script #15");
+
+### Test #16, context: Options None : AllowOverride Options=Includes : Options -IncludesNoExec
+
+$r = GET("/modules/include/ssi-exec/16/exec.shtml");
+ok t_cmp($r->code, 200, "Options should be allowed for script #16; 200 response expected");
+
+$body = $r->content;
+chomp $body;
+
+ok t_cmp($body, qr/--\#exec cgi=/, "SSI should not be evaluated for script #16");
+
+### Test #17, context: Options None : AllowOverride Options=Includes : Options -Includes +IncludesNoExec
+
+$r = GET("/modules/include/ssi-exec/17/exec.shtml");
+ok t_cmp($r->code, 200, "Options should be allowed for script #17; 200 response expected");
+
+$body = $r->content;
+chomp $body;
+
+ok t_cmp($body, '[an error occurred while processing this directive]', "SSI should be evaluated but exec not permitted for script #17");
+
+### Test #18, context: Options None : AllowOverride Options=Includes : Options +Includes -IncludesNoExec
+
+$r = GET("/modules/include/ssi-exec/18/exec.shtml");
+ok t_cmp($r->code, 200, "Options should be allowed for script #18; 200 response expected");
+
+$body = $r->content;
+chomp $body;
+
+ok t_cmp($body, qr/--\#exec cgi=/, "SSI should not be evaluated for script #18");
+
+### Test #19, context: Options None : AllowOverride Options=Includes : Options -IncludesNoExec +Includes
+
+$r = GET("/modules/include/ssi-exec/19/exec.shtml");
+ok t_cmp($r->code, 200, "Options should be allowed for script #19; 200 response expected");
+
+$body = $r->content;
+chomp $body;
+
+ok t_cmp($body, 'perl cgi', "SSI should be evaluated with exec allowed for script #19");
+
+### Test #20, context: Options None : AllowOverride Options=Includes : Options +IncludesNoExec -Includes
+
+$r = GET("/modules/include/ssi-exec/20/exec.shtml");
+ok t_cmp($r->code, 200, "Options should be allowed for script #20; 200 response expected");
+
+$body = $r->content;
+chomp $body;
+
+ok t_cmp($body, qr/--\#exec cgi=/, "SSI should not be evaluated for script #20");
+
+### Test #21, context: Options None : AllowOverride All : Options +Includes
+
+$r = GET("/modules/include/ssi-exec/21/exec.shtml");
+ok t_cmp($r->code, 200, "Options should be allowed for script #21; 200 response expected");
+
+$body = $r->content;
+chomp $body;
+
+ok t_cmp($body, 'perl cgi', "SSI should be evaluated with exec allowed for script #21");
+
+### Test #22, context: Options None : AllowOverride All : Options +IncludesNoExec
+
+$r = GET("/modules/include/ssi-exec/22/exec.shtml");
+ok t_cmp($r->code, 200, "Options should be allowed for script #22; 200 response expected");
+
+$body = $r->content;
+chomp $body;
+
+ok t_cmp($body, '[an error occurred while processing this directive]', "SSI should be evaluated but exec not permitted for script #22");
+
+### Test #23, context: Options None : AllowOverride All : Options Includes
+
+$r = GET("/modules/include/ssi-exec/23/exec.shtml");
+ok t_cmp($r->code, 200, "Options should be allowed for script #23; 200 response expected");
+
+$body = $r->content;
+chomp $body;
+
+ok t_cmp($body, 'perl cgi', "SSI should be evaluated with exec allowed for script #23");
+
+### Test #24, context: Options None : AllowOverride All : Options IncludesNoExec
+
+$r = GET("/modules/include/ssi-exec/24/exec.shtml");
+ok t_cmp($r->code, 200, "Options should be allowed for script #24; 200 response expected");
+
+$body = $r->content;
+chomp $body;
+
+ok t_cmp($body, '[an error occurred while processing this directive]', "SSI should be evaluated but exec not permitted for script #24");
+
+### Test #25, context: Options None : AllowOverride All : Options -Includes
+
+$r = GET("/modules/include/ssi-exec/25/exec.shtml");
+ok t_cmp($r->code, 200, "Options should be allowed for script #25; 200 response expected");
+
+$body = $r->content;
+chomp $body;
+
+ok t_cmp($body, qr/--\#exec cgi=/, "SSI should not be evaluated for script #25");
+
+### Test #26, context: Options None : AllowOverride All : Options -IncludesNoExec
+
+$r = GET("/modules/include/ssi-exec/26/exec.shtml");
+ok t_cmp($r->code, 200, "Options should be allowed for script #26; 200 response expected");
+
+$body = $r->content;
+chomp $body;
+
+ok t_cmp($body, qr/--\#exec cgi=/, "SSI should not be evaluated for script #26");
+
+### Test #27, context: Options None : AllowOverride All : Options -Includes +IncludesNoExec
+
+$r = GET("/modules/include/ssi-exec/27/exec.shtml");
+ok t_cmp($r->code, 200, "Options should be allowed for script #27; 200 response expected");
+
+$body = $r->content;
+chomp $body;
+
+ok t_cmp($body, '[an error occurred while processing this directive]', "SSI should be evaluated but exec not permitted for script #27");
+
+### Test #28, context: Options None : AllowOverride All : Options +Includes -IncludesNoExec
+
+$r = GET("/modules/include/ssi-exec/28/exec.shtml");
+ok t_cmp($r->code, 200, "Options should be allowed for script #28; 200 response expected");
+
+$body = $r->content;
+chomp $body;
+
+ok t_cmp($body, qr/--\#exec cgi=/, "SSI should not be evaluated for script #28");
+
+### Test #29, context: Options None : AllowOverride All : Options -IncludesNoExec +Includes
+
+$r = GET("/modules/include/ssi-exec/29/exec.shtml");
+ok t_cmp($r->code, 200, "Options should be allowed for script #29; 200 response expected");
+
+$body = $r->content;
+chomp $body;
+
+ok t_cmp($body, 'perl cgi', "SSI should be evaluated with exec allowed for script #29");
+
+### Test #30, context: Options None : AllowOverride All : Options +IncludesNoExec -Includes
+
+$r = GET("/modules/include/ssi-exec/30/exec.shtml");
+ok t_cmp($r->code, 200, "Options should be allowed for script #30; 200 response expected");
+
+$body = $r->content;
+chomp $body;
+
+ok t_cmp($body, qr/--\#exec cgi=/, "SSI should not be evaluated for script #30");
+
+### Test #31, context: Options None : AllowOverride None : Options +Includes
+
+$r = GET("/modules/include/ssi-exec/31/exec.shtml");
+ok t_cmp($r->code, 200, "Options should be allowed for script #31; 200 response expected");
+
+$body = $r->content;
+chomp $body;
+
+ok t_cmp($body, qr/--\#exec cgi=/, "SSI should not be evaluated for script #31");
+
+### Test #32, context: Options None : AllowOverride None : Options +IncludesNoExec
+
+$r = GET("/modules/include/ssi-exec/32/exec.shtml");
+ok t_cmp($r->code, 200, "Options should be allowed for script #32; 200 response expected");
+
+$body = $r->content;
+chomp $body;
+
+ok t_cmp($body, qr/--\#exec cgi=/, "SSI should not be evaluated for script #32");
+
+### Test #33, context: Options None : AllowOverride None : Options Includes
+
+$r = GET("/modules/include/ssi-exec/33/exec.shtml");
+ok t_cmp($r->code, 200, "Options should be allowed for script #33; 200 response expected");
+
+$body = $r->content;
+chomp $body;
+
+ok t_cmp($body, qr/--\#exec cgi=/, "SSI should not be evaluated for script #33");
+
+### Test #34, context: Options None : AllowOverride None : Options IncludesNoExec
+
+$r = GET("/modules/include/ssi-exec/34/exec.shtml");
+ok t_cmp($r->code, 200, "Options should be allowed for script #34; 200 response expected");
+
+$body = $r->content;
+chomp $body;
+
+ok t_cmp($body, qr/--\#exec cgi=/, "SSI should not be evaluated for script #34");
+
+### Test #35, context: Options None : AllowOverride None : Options -Includes
+
+$r = GET("/modules/include/ssi-exec/35/exec.shtml");
+ok t_cmp($r->code, 200, "Options should be allowed for script #35; 200 response expected");
+
+$body = $r->content;
+chomp $body;
+
+ok t_cmp($body, qr/--\#exec cgi=/, "SSI should not be evaluated for script #35");
+
+### Test #36, context: Options None : AllowOverride None : Options -IncludesNoExec
+
+$r = GET("/modules/include/ssi-exec/36/exec.shtml");
+ok t_cmp($r->code, 200, "Options should be allowed for script #36; 200 response expected");
+
+$body = $r->content;
+chomp $body;
+
+ok t_cmp($body, qr/--\#exec cgi=/, "SSI should not be evaluated for script #36");
+
+### Test #37, context: Options None : AllowOverride None : Options -Includes +IncludesNoExec
+
+$r = GET("/modules/include/ssi-exec/37/exec.shtml");
+ok t_cmp($r->code, 200, "Options should be allowed for script #37; 200 response expected");
+
+$body = $r->content;
+chomp $body;
+
+ok t_cmp($body, qr/--\#exec cgi=/, "SSI should not be evaluated for script #37");
+
+### Test #38, context: Options None : AllowOverride None : Options +Includes -IncludesNoExec
+
+$r = GET("/modules/include/ssi-exec/38/exec.shtml");
+ok t_cmp($r->code, 200, "Options should be allowed for script #38; 200 response expected");
+
+$body = $r->content;
+chomp $body;
+
+ok t_cmp($body, qr/--\#exec cgi=/, "SSI should not be evaluated for script #38");
+
+### Test #39, context: Options None : AllowOverride None : Options -IncludesNoExec +Includes
+
+$r = GET("/modules/include/ssi-exec/39/exec.shtml");
+ok t_cmp($r->code, 200, "Options should be allowed for script #39; 200 response expected");
+
+$body = $r->content;
+chomp $body;
+
+ok t_cmp($body, qr/--\#exec cgi=/, "SSI should not be evaluated for script #39");
+
+### Test #40, context: Options None : AllowOverride None : Options +IncludesNoExec -Includes
+
+$r = GET("/modules/include/ssi-exec/40/exec.shtml");
+ok t_cmp($r->code, 200, "Options should be allowed for script #40; 200 response expected");
+
+$body = $r->content;
+chomp $body;
+
+ok t_cmp($body, qr/--\#exec cgi=/, "SSI should not be evaluated for script #40");
+
+### Test #41, context: Options IncludesNoExec : AllowOverride Options=IncludesNoExec : Options +Includes
+
+$r = GET("/modules/include/ssi-exec/41/exec.shtml");
+ok t_cmp($r->code, 500, "Options should not be allowed for script #41; 500 response expected");
+
+### Test #42, context: Options IncludesNoExec : AllowOverride Options=IncludesNoExec : Options +IncludesNoExec
+
+$r = GET("/modules/include/ssi-exec/42/exec.shtml");
+ok t_cmp($r->code, 200, "Options should be allowed for script #42; 200 response expected");
+
+$body = $r->content;
+chomp $body;
+
+ok t_cmp($body, '[an error occurred while processing this directive]', "SSI should be evaluated but exec not permitted for script #42");
+
+### Test #43, context: Options IncludesNoExec : AllowOverride Options=IncludesNoExec : Options Includes
+
+$r = GET("/modules/include/ssi-exec/43/exec.shtml");
+ok t_cmp($r->code, 500, "Options should not be allowed for script #43; 500 response expected");
+
+### Test #44, context: Options IncludesNoExec : AllowOverride Options=IncludesNoExec : Options IncludesNoExec
+
+$r = GET("/modules/include/ssi-exec/44/exec.shtml");
+ok t_cmp($r->code, 200, "Options should be allowed for script #44; 200 response expected");
+
+$body = $r->content;
+chomp $body;
+
+ok t_cmp($body, '[an error occurred while processing this directive]', "SSI should be evaluated but exec not permitted for script #44");
+
+### Test #45, context: Options IncludesNoExec : AllowOverride Options=IncludesNoExec : Options -Includes
+
+$r = GET("/modules/include/ssi-exec/45/exec.shtml");
+ok t_cmp($r->code, 500, "Options should not be allowed for script #45; 500 response expected");
+
+### Test #46, context: Options IncludesNoExec : AllowOverride Options=IncludesNoExec : Options -IncludesNoExec
+
+$r = GET("/modules/include/ssi-exec/46/exec.shtml");
+ok t_cmp($r->code, 200, "Options should be allowed for script #46; 200 response expected");
+
+$body = $r->content;
+chomp $body;
+
+ok t_cmp($body, qr/--\#exec cgi=/, "SSI should not be evaluated for script #46");
+
+### Test #47, context: Options IncludesNoExec : AllowOverride Options=IncludesNoExec : Options -Includes +IncludesNoExec
+
+$r = GET("/modules/include/ssi-exec/47/exec.shtml");
+ok t_cmp($r->code, 500, "Options should not be allowed for script #47; 500 response expected");
+
+### Test #48, context: Options IncludesNoExec : AllowOverride Options=IncludesNoExec : Options +Includes -IncludesNoExec
+
+$r = GET("/modules/include/ssi-exec/48/exec.shtml");
+ok t_cmp($r->code, 500, "Options should not be allowed for script #48; 500 response expected");
+
+### Test #49, context: Options IncludesNoExec : AllowOverride Options=IncludesNoExec : Options -IncludesNoExec +Includes
+
+$r = GET("/modules/include/ssi-exec/49/exec.shtml");
+ok t_cmp($r->code, 500, "Options should not be allowed for script #49; 500 response expected");
+
+### Test #50, context: Options IncludesNoExec : AllowOverride Options=IncludesNoExec : Options +IncludesNoExec -Includes
+
+$r = GET("/modules/include/ssi-exec/50/exec.shtml");
+ok t_cmp($r->code, 500, "Options should not be allowed for script #50; 500 response expected");
+
+### Test #51, context: Options IncludesNoExec : AllowOverride Options=Includes : Options +Includes
+
+$r = GET("/modules/include/ssi-exec/51/exec.shtml");
+ok t_cmp($r->code, 200, "Options should be allowed for script #51; 200 response expected");
+
+$body = $r->content;
+chomp $body;
+
+ok t_cmp($body, 'perl cgi', "SSI should be evaluated with exec allowed for script #51");
+
+### Test #52, context: Options IncludesNoExec : AllowOverride Options=Includes : Options +IncludesNoExec
+
+$r = GET("/modules/include/ssi-exec/52/exec.shtml");
+ok t_cmp($r->code, 200, "Options should be allowed for script #52; 200 response expected");
+
+$body = $r->content;
+chomp $body;
+
+ok t_cmp($body, '[an error occurred while processing this directive]', "SSI should be evaluated but exec not permitted for script #52");
+
+### Test #53, context: Options IncludesNoExec : AllowOverride Options=Includes : Options Includes
+
+$r = GET("/modules/include/ssi-exec/53/exec.shtml");
+ok t_cmp($r->code, 200, "Options should be allowed for script #53; 200 response expected");
+
+$body = $r->content;
+chomp $body;
+
+ok t_cmp($body, 'perl cgi', "SSI should be evaluated with exec allowed for script #53");
+
+### Test #54, context: Options IncludesNoExec : AllowOverride Options=Includes : Options IncludesNoExec
+
+$r = GET("/modules/include/ssi-exec/54/exec.shtml");
+ok t_cmp($r->code, 200, "Options should be allowed for script #54; 200 response expected");
+
+$body = $r->content;
+chomp $body;
+
+ok t_cmp($body, '[an error occurred while processing this directive]', "SSI should be evaluated but exec not permitted for script #54");
+
+### Test #55, context: Options IncludesNoExec : AllowOverride Options=Includes : Options -Includes
+
+$r = GET("/modules/include/ssi-exec/55/exec.shtml");
+ok t_cmp($r->code, 200, "Options should be allowed for script #55; 200 response expected");
+
+$body = $r->content;
+chomp $body;
+
+ok t_cmp($body, qr/--\#exec cgi=/, "SSI should not be evaluated for script #55");
+
+### Test #56, context: Options IncludesNoExec : AllowOverride Options=Includes : Options -IncludesNoExec
+
+$r = GET("/modules/include/ssi-exec/56/exec.shtml");
+ok t_cmp($r->code, 200, "Options should be allowed for script #56; 200 response expected");
+
+$body = $r->content;
+chomp $body;
+
+ok t_cmp($body, qr/--\#exec cgi=/, "SSI should not be evaluated for script #56");
+
+### Test #57, context: Options IncludesNoExec : AllowOverride Options=Includes : Options -Includes +IncludesNoExec
+
+$r = GET("/modules/include/ssi-exec/57/exec.shtml");
+ok t_cmp($r->code, 200, "Options should be allowed for script #57; 200 response expected");
+
+$body = $r->content;
+chomp $body;
+
+ok t_cmp($body, '[an error occurred while processing this directive]', "SSI should be evaluated but exec not permitted for script #57");
+
+### Test #58, context: Options IncludesNoExec : AllowOverride Options=Includes : Options +Includes -IncludesNoExec
+
+$r = GET("/modules/include/ssi-exec/58/exec.shtml");
+ok t_cmp($r->code, 200, "Options should be allowed for script #58; 200 response expected");
+
+$body = $r->content;
+chomp $body;
+
+ok t_cmp($body, qr/--\#exec cgi=/, "SSI should not be evaluated for script #58");
+
+### Test #59, context: Options IncludesNoExec : AllowOverride Options=Includes : Options -IncludesNoExec +Includes
+
+$r = GET("/modules/include/ssi-exec/59/exec.shtml");
+ok t_cmp($r->code, 200, "Options should be allowed for script #59; 200 response expected");
+
+$body = $r->content;
+chomp $body;
+
+ok t_cmp($body, 'perl cgi', "SSI should be evaluated with exec allowed for script #59");
+
+### Test #60, context: Options IncludesNoExec : AllowOverride Options=Includes : Options +IncludesNoExec -Includes
+
+$r = GET("/modules/include/ssi-exec/60/exec.shtml");
+ok t_cmp($r->code, 200, "Options should be allowed for script #60; 200 response expected");
+
+$body = $r->content;
+chomp $body;
+
+ok t_cmp($body, qr/--\#exec cgi=/, "SSI should not be evaluated for script #60");
+
+### Test #61, context: Options IncludesNoExec : AllowOverride All : Options +Includes
+
+$r = GET("/modules/include/ssi-exec/61/exec.shtml");
+ok t_cmp($r->code, 200, "Options should be allowed for script #61; 200 response expected");
+
+$body = $r->content;
+chomp $body;
+
+ok t_cmp($body, 'perl cgi', "SSI should be evaluated with exec allowed for script #61");
+
+### Test #62, context: Options IncludesNoExec : AllowOverride All : Options +IncludesNoExec
+
+$r = GET("/modules/include/ssi-exec/62/exec.shtml");
+ok t_cmp($r->code, 200, "Options should be allowed for script #62; 200 response expected");
+
+$body = $r->content;
+chomp $body;
+
+ok t_cmp($body, '[an error occurred while processing this directive]', "SSI should be evaluated but exec not permitted for script #62");
+
+### Test #63, context: Options IncludesNoExec : AllowOverride All : Options Includes
+
+$r = GET("/modules/include/ssi-exec/63/exec.shtml");
+ok t_cmp($r->code, 200, "Options should be allowed for script #63; 200 response expected");
+
+$body = $r->content;
+chomp $body;
+
+ok t_cmp($body, 'perl cgi', "SSI should be evaluated with exec allowed for script #63");
+
+### Test #64, context: Options IncludesNoExec : AllowOverride All : Options IncludesNoExec
+
+$r = GET("/modules/include/ssi-exec/64/exec.shtml");
+ok t_cmp($r->code, 200, "Options should be allowed for script #64; 200 response expected");
+
+$body = $r->content;
+chomp $body;
+
+ok t_cmp($body, '[an error occurred while processing this directive]', "SSI should be evaluated but exec not permitted for script #64");
+
+### Test #65, context: Options IncludesNoExec : AllowOverride All : Options -Includes
+
+$r = GET("/modules/include/ssi-exec/65/exec.shtml");
+ok t_cmp($r->code, 200, "Options should be allowed for script #65; 200 response expected");
+
+$body = $r->content;
+chomp $body;
+
+ok t_cmp($body, qr/--\#exec cgi=/, "SSI should not be evaluated for script #65");
+
+### Test #66, context: Options IncludesNoExec : AllowOverride All : Options -IncludesNoExec
+
+$r = GET("/modules/include/ssi-exec/66/exec.shtml");
+ok t_cmp($r->code, 200, "Options should be allowed for script #66; 200 response expected");
+
+$body = $r->content;
+chomp $body;
+
+ok t_cmp($body, qr/--\#exec cgi=/, "SSI should not be evaluated for script #66");
+
+### Test #67, context: Options IncludesNoExec : AllowOverride All : Options -Includes +IncludesNoExec
+
+$r = GET("/modules/include/ssi-exec/67/exec.shtml");
+ok t_cmp($r->code, 200, "Options should be allowed for script #67; 200 response expected");
+
+$body = $r->content;
+chomp $body;
+
+ok t_cmp($body, '[an error occurred while processing this directive]', "SSI should be evaluated but exec not permitted for script #67");
+
+### Test #68, context: Options IncludesNoExec : AllowOverride All : Options +Includes -IncludesNoExec
+
+$r = GET("/modules/include/ssi-exec/68/exec.shtml");
+ok t_cmp($r->code, 200, "Options should be allowed for script #68; 200 response expected");
+
+$body = $r->content;
+chomp $body;
+
+ok t_cmp($body, qr/--\#exec cgi=/, "SSI should not be evaluated for script #68");
+
+### Test #69, context: Options IncludesNoExec : AllowOverride All : Options -IncludesNoExec +Includes
+
+$r = GET("/modules/include/ssi-exec/69/exec.shtml");
+ok t_cmp($r->code, 200, "Options should be allowed for script #69; 200 response expected");
+
+$body = $r->content;
+chomp $body;
+
+ok t_cmp($body, 'perl cgi', "SSI should be evaluated with exec allowed for script #69");
+
+### Test #70, context: Options IncludesNoExec : AllowOverride All : Options +IncludesNoExec -Includes
+
+$r = GET("/modules/include/ssi-exec/70/exec.shtml");
+ok t_cmp($r->code, 200, "Options should be allowed for script #70; 200 response expected");
+
+$body = $r->content;
+chomp $body;
+
+ok t_cmp($body, qr/--\#exec cgi=/, "SSI should not be evaluated for script #70");
+
+### Test #71, context: Options IncludesNoExec : AllowOverride None : Options +Includes
+
+$r = GET("/modules/include/ssi-exec/71/exec.shtml");
+ok t_cmp($r->code, 200, "Options should be allowed for script #71; 200 response expected");
+
+$body = $r->content;
+chomp $body;
+
+ok t_cmp($body, '[an error occurred while processing this directive]', "SSI should be evaluated but exec not permitted for script #71");
+
+### Test #72, context: Options IncludesNoExec : AllowOverride None : Options +IncludesNoExec
+
+$r = GET("/modules/include/ssi-exec/72/exec.shtml");
+ok t_cmp($r->code, 200, "Options should be allowed for script #72; 200 response expected");
+
+$body = $r->content;
+chomp $body;
+
+ok t_cmp($body, '[an error occurred while processing this directive]', "SSI should be evaluated but exec not permitted for script #72");
+
+### Test #73, context: Options IncludesNoExec : AllowOverride None : Options Includes
+
+$r = GET("/modules/include/ssi-exec/73/exec.shtml");
+ok t_cmp($r->code, 200, "Options should be allowed for script #73; 200 response expected");
+
+$body = $r->content;
+chomp $body;
+
+ok t_cmp($body, '[an error occurred while processing this directive]', "SSI should be evaluated but exec not permitted for script #73");
+
+### Test #74, context: Options IncludesNoExec : AllowOverride None : Options IncludesNoExec
+
+$r = GET("/modules/include/ssi-exec/74/exec.shtml");
+ok t_cmp($r->code, 200, "Options should be allowed for script #74; 200 response expected");
+
+$body = $r->content;
+chomp $body;
+
+ok t_cmp($body, '[an error occurred while processing this directive]', "SSI should be evaluated but exec not permitted for script #74");
+
+### Test #75, context: Options IncludesNoExec : AllowOverride None : Options -Includes
+
+$r = GET("/modules/include/ssi-exec/75/exec.shtml");
+ok t_cmp($r->code, 200, "Options should be allowed for script #75; 200 response expected");
+
+$body = $r->content;
+chomp $body;
+
+ok t_cmp($body, '[an error occurred while processing this directive]', "SSI should be evaluated but exec not permitted for script #75");
+
+### Test #76, context: Options IncludesNoExec : AllowOverride None : Options -IncludesNoExec
+
+$r = GET("/modules/include/ssi-exec/76/exec.shtml");
+ok t_cmp($r->code, 200, "Options should be allowed for script #76; 200 response expected");
+
+$body = $r->content;
+chomp $body;
+
+ok t_cmp($body, '[an error occurred while processing this directive]', "SSI should be evaluated but exec not permitted for script #76");
+
+### Test #77, context: Options IncludesNoExec : AllowOverride None : Options -Includes +IncludesNoExec
+
+$r = GET("/modules/include/ssi-exec/77/exec.shtml");
+ok t_cmp($r->code, 200, "Options should be allowed for script #77; 200 response expected");
+
+$body = $r->content;
+chomp $body;
+
+ok t_cmp($body, '[an error occurred while processing this directive]', "SSI should be evaluated but exec not permitted for script #77");
+
+### Test #78, context: Options IncludesNoExec : AllowOverride None : Options +Includes -IncludesNoExec
+
+$r = GET("/modules/include/ssi-exec/78/exec.shtml");
+ok t_cmp($r->code, 200, "Options should be allowed for script #78; 200 response expected");
+
+$body = $r->content;
+chomp $body;
+
+ok t_cmp($body, '[an error occurred while processing this directive]', "SSI should be evaluated but exec not permitted for script #78");
+
+### Test #79, context: Options IncludesNoExec : AllowOverride None : Options -IncludesNoExec +Includes
+
+$r = GET("/modules/include/ssi-exec/79/exec.shtml");
+ok t_cmp($r->code, 200, "Options should be allowed for script #79; 200 response expected");
+
+$body = $r->content;
+chomp $body;
+
+ok t_cmp($body, '[an error occurred while processing this directive]', "SSI should be evaluated but exec not permitted for script #79");
+
+### Test #80, context: Options IncludesNoExec : AllowOverride None : Options +IncludesNoExec -Includes
+
+$r = GET("/modules/include/ssi-exec/80/exec.shtml");
+ok t_cmp($r->code, 200, "Options should be allowed for script #80; 200 response expected");
+
+$body = $r->content;
+chomp $body;
+
+ok t_cmp($body, '[an error occurred while processing this directive]', "SSI should be evaluated but exec not permitted for script #80");
+
+### Test #81, context: Options Includes : AllowOverride Options=IncludesNoExec : Options +Includes
+
+$r = GET("/modules/include/ssi-exec/81/exec.shtml");
+ok t_cmp($r->code, 500, "Options should not be allowed for script #81; 500 response expected");
+
+### Test #82, context: Options Includes : AllowOverride Options=IncludesNoExec : Options +IncludesNoExec
+
+$r = GET("/modules/include/ssi-exec/82/exec.shtml");
+ok t_cmp($r->code, 200, "Options should be allowed for script #82; 200 response expected");
+
+$body = $r->content;
+chomp $body;
+
+ok t_cmp($body, '[an error occurred while processing this directive]', "SSI should be evaluated but exec not permitted for script #82");
+
+### Test #83, context: Options Includes : AllowOverride Options=IncludesNoExec : Options Includes
+
+$r = GET("/modules/include/ssi-exec/83/exec.shtml");
+ok t_cmp($r->code, 500, "Options should not be allowed for script #83; 500 response expected");
+
+### Test #84, context: Options Includes : AllowOverride Options=IncludesNoExec : Options IncludesNoExec
+
+$r = GET("/modules/include/ssi-exec/84/exec.shtml");
+ok t_cmp($r->code, 200, "Options should be allowed for script #84; 200 response expected");
+
+$body = $r->content;
+chomp $body;
+
+ok t_cmp($body, '[an error occurred while processing this directive]', "SSI should be evaluated but exec not permitted for script #84");
+
+### Test #85, context: Options Includes : AllowOverride Options=IncludesNoExec : Options -Includes
+
+$r = GET("/modules/include/ssi-exec/85/exec.shtml");
+ok t_cmp($r->code, 500, "Options should not be allowed for script #85; 500 response expected");
+
+### Test #86, context: Options Includes : AllowOverride Options=IncludesNoExec : Options -IncludesNoExec
+
+$r = GET("/modules/include/ssi-exec/86/exec.shtml");
+ok t_cmp($r->code, 200, "Options should be allowed for script #86; 200 response expected");
+
+$body = $r->content;
+chomp $body;
+
+ok t_cmp($body, qr/--\#exec cgi=/, "SSI should not be evaluated for script #86");
+
+### Test #87, context: Options Includes : AllowOverride Options=IncludesNoExec : Options -Includes +IncludesNoExec
+
+$r = GET("/modules/include/ssi-exec/87/exec.shtml");
+ok t_cmp($r->code, 500, "Options should not be allowed for script #87; 500 response expected");
+
+### Test #88, context: Options Includes : AllowOverride Options=IncludesNoExec : Options +Includes -IncludesNoExec
+
+$r = GET("/modules/include/ssi-exec/88/exec.shtml");
+ok t_cmp($r->code, 500, "Options should not be allowed for script #88; 500 response expected");
+
+### Test #89, context: Options Includes : AllowOverride Options=IncludesNoExec : Options -IncludesNoExec +Includes
+
+$r = GET("/modules/include/ssi-exec/89/exec.shtml");
+ok t_cmp($r->code, 500, "Options should not be allowed for script #89; 500 response expected");
+
+### Test #90, context: Options Includes : AllowOverride Options=IncludesNoExec : Options +IncludesNoExec -Includes
+
+$r = GET("/modules/include/ssi-exec/90/exec.shtml");
+ok t_cmp($r->code, 500, "Options should not be allowed for script #90; 500 response expected");
+
+### Test #91, context: Options Includes : AllowOverride Options=Includes : Options +Includes
+
+$r = GET("/modules/include/ssi-exec/91/exec.shtml");
+ok t_cmp($r->code, 200, "Options should be allowed for script #91; 200 response expected");
+
+$body = $r->content;
+chomp $body;
+
+ok t_cmp($body, 'perl cgi', "SSI should be evaluated with exec allowed for script #91");
+
+### Test #92, context: Options Includes : AllowOverride Options=Includes : Options +IncludesNoExec
+
+$r = GET("/modules/include/ssi-exec/92/exec.shtml");
+ok t_cmp($r->code, 200, "Options should be allowed for script #92; 200 response expected");
+
+$body = $r->content;
+chomp $body;
+
+ok t_cmp($body, '[an error occurred while processing this directive]', "SSI should be evaluated but exec not permitted for script #92");
+
+### Test #93, context: Options Includes : AllowOverride Options=Includes : Options Includes
+
+$r = GET("/modules/include/ssi-exec/93/exec.shtml");
+ok t_cmp($r->code, 200, "Options should be allowed for script #93; 200 response expected");
+
+$body = $r->content;
+chomp $body;
+
+ok t_cmp($body, 'perl cgi', "SSI should be evaluated with exec allowed for script #93");
+
+### Test #94, context: Options Includes : AllowOverride Options=Includes : Options IncludesNoExec
+
+$r = GET("/modules/include/ssi-exec/94/exec.shtml");
+ok t_cmp($r->code, 200, "Options should be allowed for script #94; 200 response expected");
+
+$body = $r->content;
+chomp $body;
+
+ok t_cmp($body, '[an error occurred while processing this directive]', "SSI should be evaluated but exec not permitted for script #94");
+
+### Test #95, context: Options Includes : AllowOverride Options=Includes : Options -Includes
+
+$r = GET("/modules/include/ssi-exec/95/exec.shtml");
+ok t_cmp($r->code, 200, "Options should be allowed for script #95; 200 response expected");
+
+$body = $r->content;
+chomp $body;
+
+ok t_cmp($body, qr/--\#exec cgi=/, "SSI should not be evaluated for script #95");
+
+### Test #96, context: Options Includes : AllowOverride Options=Includes : Options -IncludesNoExec
+
+$r = GET("/modules/include/ssi-exec/96/exec.shtml");
+ok t_cmp($r->code, 200, "Options should be allowed for script #96; 200 response expected");
+
+$body = $r->content;
+chomp $body;
+
+ok t_cmp($body, qr/--\#exec cgi=/, "SSI should not be evaluated for script #96");
+
+### Test #97, context: Options Includes : AllowOverride Options=Includes : Options -Includes +IncludesNoExec
+
+$r = GET("/modules/include/ssi-exec/97/exec.shtml");
+ok t_cmp($r->code, 200, "Options should be allowed for script #97; 200 response expected");
+
+$body = $r->content;
+chomp $body;
+
+ok t_cmp($body, '[an error occurred while processing this directive]', "SSI should be evaluated but exec not permitted for script #97");
+
+### Test #98, context: Options Includes : AllowOverride Options=Includes : Options +Includes -IncludesNoExec
+
+$r = GET("/modules/include/ssi-exec/98/exec.shtml");
+ok t_cmp($r->code, 200, "Options should be allowed for script #98; 200 response expected");
+
+$body = $r->content;
+chomp $body;
+
+ok t_cmp($body, qr/--\#exec cgi=/, "SSI should not be evaluated for script #98");
+
+### Test #99, context: Options Includes : AllowOverride Options=Includes : Options -IncludesNoExec +Includes
+
+$r = GET("/modules/include/ssi-exec/99/exec.shtml");
+ok t_cmp($r->code, 200, "Options should be allowed for script #99; 200 response expected");
+
+$body = $r->content;
+chomp $body;
+
+ok t_cmp($body, 'perl cgi', "SSI should be evaluated with exec allowed for script #99");
+
+### Test #100, context: Options Includes : AllowOverride Options=Includes : Options +IncludesNoExec -Includes
+
+$r = GET("/modules/include/ssi-exec/100/exec.shtml");
+ok t_cmp($r->code, 200, "Options should be allowed for script #100; 200 response expected");
+
+$body = $r->content;
+chomp $body;
+
+ok t_cmp($body, qr/--\#exec cgi=/, "SSI should not be evaluated for script #100");
+
+### Test #101, context: Options Includes : AllowOverride All : Options +Includes
+
+$r = GET("/modules/include/ssi-exec/101/exec.shtml");
+ok t_cmp($r->code, 200, "Options should be allowed for script #101; 200 response expected");
+
+$body = $r->content;
+chomp $body;
+
+ok t_cmp($body, 'perl cgi', "SSI should be evaluated with exec allowed for script #101");
+
+### Test #102, context: Options Includes : AllowOverride All : Options +IncludesNoExec
+
+$r = GET("/modules/include/ssi-exec/102/exec.shtml");
+ok t_cmp($r->code, 200, "Options should be allowed for script #102; 200 response expected");
+
+$body = $r->content;
+chomp $body;
+
+ok t_cmp($body, '[an error occurred while processing this directive]', "SSI should be evaluated but exec not permitted for script #102");
+
+### Test #103, context: Options Includes : AllowOverride All : Options Includes
+
+$r = GET("/modules/include/ssi-exec/103/exec.shtml");
+ok t_cmp($r->code, 200, "Options should be allowed for script #103; 200 response expected");
+
+$body = $r->content;
+chomp $body;
+
+ok t_cmp($body, 'perl cgi', "SSI should be evaluated with exec allowed for script #103");
+
+### Test #104, context: Options Includes : AllowOverride All : Options IncludesNoExec
+
+$r = GET("/modules/include/ssi-exec/104/exec.shtml");
+ok t_cmp($r->code, 200, "Options should be allowed for script #104; 200 response expected");
+
+$body = $r->content;
+chomp $body;
+
+ok t_cmp($body, '[an error occurred while processing this directive]', "SSI should be evaluated but exec not permitted for script #104");
+
+### Test #105, context: Options Includes : AllowOverride All : Options -Includes
+
+$r = GET("/modules/include/ssi-exec/105/exec.shtml");
+ok t_cmp($r->code, 200, "Options should be allowed for script #105; 200 response expected");
+
+$body = $r->content;
+chomp $body;
+
+ok t_cmp($body, qr/--\#exec cgi=/, "SSI should not be evaluated for script #105");
+
+### Test #106, context: Options Includes : AllowOverride All : Options -IncludesNoExec
+
+$r = GET("/modules/include/ssi-exec/106/exec.shtml");
+ok t_cmp($r->code, 200, "Options should be allowed for script #106; 200 response expected");
+
+$body = $r->content;
+chomp $body;
+
+ok t_cmp($body, qr/--\#exec cgi=/, "SSI should not be evaluated for script #106");
+
+### Test #107, context: Options Includes : AllowOverride All : Options -Includes +IncludesNoExec
+
+$r = GET("/modules/include/ssi-exec/107/exec.shtml");
+ok t_cmp($r->code, 200, "Options should be allowed for script #107; 200 response expected");
+
+$body = $r->content;
+chomp $body;
+
+ok t_cmp($body, '[an error occurred while processing this directive]', "SSI should be evaluated but exec not permitted for script #107");
+
+### Test #108, context: Options Includes : AllowOverride All : Options +Includes -IncludesNoExec
+
+$r = GET("/modules/include/ssi-exec/108/exec.shtml");
+ok t_cmp($r->code, 200, "Options should be allowed for script #108; 200 response expected");
+
+$body = $r->content;
+chomp $body;
+
+ok t_cmp($body, qr/--\#exec cgi=/, "SSI should not be evaluated for script #108");
+
+### Test #109, context: Options Includes : AllowOverride All : Options -IncludesNoExec +Includes
+
+$r = GET("/modules/include/ssi-exec/109/exec.shtml");
+ok t_cmp($r->code, 200, "Options should be allowed for script #109; 200 response expected");
+
+$body = $r->content;
+chomp $body;
+
+ok t_cmp($body, 'perl cgi', "SSI should be evaluated with exec allowed for script #109");
+
+### Test #110, context: Options Includes : AllowOverride All : Options +IncludesNoExec -Includes
+
+$r = GET("/modules/include/ssi-exec/110/exec.shtml");
+ok t_cmp($r->code, 200, "Options should be allowed for script #110; 200 response expected");
+
+$body = $r->content;
+chomp $body;
+
+ok t_cmp($body, qr/--\#exec cgi=/, "SSI should not be evaluated for script #110");
+
+### Test #111, context: Options Includes : AllowOverride None : Options +Includes
+
+$r = GET("/modules/include/ssi-exec/111/exec.shtml");
+ok t_cmp($r->code, 200, "Options should be allowed for script #111; 200 response expected");
+
+$body = $r->content;
+chomp $body;
+
+ok t_cmp($body, 'perl cgi', "SSI should be evaluated with exec allowed for script #111");
+
+### Test #112, context: Options Includes : AllowOverride None : Options +IncludesNoExec
+
+$r = GET("/modules/include/ssi-exec/112/exec.shtml");
+ok t_cmp($r->code, 200, "Options should be allowed for script #112; 200 response expected");
+
+$body = $r->content;
+chomp $body;
+
+ok t_cmp($body, 'perl cgi', "SSI should be evaluated with exec allowed for script #112");
+
+### Test #113, context: Options Includes : AllowOverride None : Options Includes
+
+$r = GET("/modules/include/ssi-exec/113/exec.shtml");
+ok t_cmp($r->code, 200, "Options should be allowed for script #113; 200 response expected");
+
+$body = $r->content;
+chomp $body;
+
+ok t_cmp($body, 'perl cgi', "SSI should be evaluated with exec allowed for script #113");
+
+### Test #114, context: Options Includes : AllowOverride None : Options IncludesNoExec
+
+$r = GET("/modules/include/ssi-exec/114/exec.shtml");
+ok t_cmp($r->code, 200, "Options should be allowed for script #114; 200 response expected");
+
+$body = $r->content;
+chomp $body;
+
+ok t_cmp($body, 'perl cgi', "SSI should be evaluated with exec allowed for script #114");
+
+### Test #115, context: Options Includes : AllowOverride None : Options -Includes
+
+$r = GET("/modules/include/ssi-exec/115/exec.shtml");
+ok t_cmp($r->code, 200, "Options should be allowed for script #115; 200 response expected");
+
+$body = $r->content;
+chomp $body;
+
+ok t_cmp($body, 'perl cgi', "SSI should be evaluated with exec allowed for script #115");
+
+### Test #116, context: Options Includes : AllowOverride None : Options -IncludesNoExec
+
+$r = GET("/modules/include/ssi-exec/116/exec.shtml");
+ok t_cmp($r->code, 200, "Options should be allowed for script #116; 200 response expected");
+
+$body = $r->content;
+chomp $body;
+
+ok t_cmp($body, 'perl cgi', "SSI should be evaluated with exec allowed for script #116");
+
+### Test #117, context: Options Includes : AllowOverride None : Options -Includes +IncludesNoExec
+
+$r = GET("/modules/include/ssi-exec/117/exec.shtml");
+ok t_cmp($r->code, 200, "Options should be allowed for script #117; 200 response expected");
+
+$body = $r->content;
+chomp $body;
+
+ok t_cmp($body, 'perl cgi', "SSI should be evaluated with exec allowed for script #117");
+
+### Test #118, context: Options Includes : AllowOverride None : Options +Includes -IncludesNoExec
+
+$r = GET("/modules/include/ssi-exec/118/exec.shtml");
+ok t_cmp($r->code, 200, "Options should be allowed for script #118; 200 response expected");
+
+$body = $r->content;
+chomp $body;
+
+ok t_cmp($body, 'perl cgi', "SSI should be evaluated with exec allowed for script #118");
+
+### Test #119, context: Options Includes : AllowOverride None : Options -IncludesNoExec +Includes
+
+$r = GET("/modules/include/ssi-exec/119/exec.shtml");
+ok t_cmp($r->code, 200, "Options should be allowed for script #119; 200 response expected");
+
+$body = $r->content;
+chomp $body;
+
+ok t_cmp($body, 'perl cgi', "SSI should be evaluated with exec allowed for script #119");
+
+### Test #120, context: Options Includes : AllowOverride None : Options +IncludesNoExec -Includes
+
+$r = GET("/modules/include/ssi-exec/120/exec.shtml");
+ok t_cmp($r->code, 200, "Options should be allowed for script #120; 200 response expected");
+
+$body = $r->content;
+chomp $body;
+
+ok t_cmp($body, 'perl cgi', "SSI should be evaluated with exec allowed for script #120");
+
+### Test #121, context: Options Includes : AllowOverride None : No options in subdir, no .htaccess
+
+$r = GET("/modules/include/ssi-exec/121/subdir/exec.shtml");
+ok t_cmp($r->code, 200, "Options should be allowed for script #121; 200 response expected");
+
+$body = $r->content;
+chomp $body;
+
+ok t_cmp($body, 'perl cgi', "SSI should be evaluated with exec allowed for script #121");
+
diff --git a/debian/perl-framework/t/security/CVE-2009-1890.t b/debian/perl-framework/t/security/CVE-2009-1890.t
new file mode 100644
index 0000000..6ef46b2
--- /dev/null
+++ b/debian/perl-framework/t/security/CVE-2009-1890.t
@@ -0,0 +1,65 @@
+use strict;
+use warnings FATAL => 'all';
+
+use Apache::Test;
+use Apache::TestRequest;
+use Apache::TestUtil;
+
+use IO::Select;
+
+plan tests => 7, need [qw(mod_proxy proxy_http.c)];
+
+my $len = 100000;
+
+my $sock = Apache::TestRequest::vhost_socket('proxy_http_reverse');
+ok $sock && $sock->connected;
+
+my $req =
+ "POST /reverse/modules/cgi/perl_echo.pl HTTP/1.0\r\n".
+ "Content-Length: 0" . $len . "\r\n".
+ "\r\n";
+
+ok $sock->print($req);
+
+my $half_body = 'x' x ($len/2);
+ok $sock->print($half_body);
+sleep(1);
+ok $sock->print($half_body);
+
+my $readable = IO::Select->new($sock)->can_read(10);
+ok $readable, 1, "timeout, server hung";
+if (!$readable) {
+ skip "server hung, not testing further", foreach(1..2);
+ exit(0);
+}
+
+my $line = Apache::TestRequest::getline($sock) || '';
+ok t_cmp($line, qr{^HTTP/1\.. 200}, "request was parsed");
+
+do {
+ $line = Apache::TestRequest::getline($sock) || '';
+ $line = super_chomp($line);
+ print "# header: $line\n";
+} until ($line eq "");
+
+my $buffer;
+while ($len > 0 && $sock->read($buffer, $len)) {
+ print "# got: $buffer\n";
+ $len -= length($buffer);
+ print "# remaining: $len\n";
+}
+
+ok t_cmp($len, 0, "read entire body");
+
+sub super_chomp {
+ my ($body) = shift;
+
+ ## super chomp - all leading and trailing \n (and \r for win32)
+ $body =~ s/^[\n\r]*//;
+ $body =~ s/[\n\r]*$//;
+ ## and all the rest change to spaces
+ $body =~ s/\n/ /g;
+ $body =~ s/\r//g; #rip out all remaining \r's
+
+ $body;
+}
diff --git a/debian/perl-framework/t/security/CVE-2009-3555.t b/debian/perl-framework/t/security/CVE-2009-3555.t
new file mode 100644
index 0000000..bd0c413
--- /dev/null
+++ b/debian/perl-framework/t/security/CVE-2009-3555.t
@@ -0,0 +1,67 @@
+use strict;
+use warnings FATAL => 'all';
+
+use Apache::Test;
+use Apache::TestRequest;
+use Apache::TestUtil;
+
+plan tests => 4, need 'ssl';
+
+# This test case attempts only one type of attack which is possible
+# due to the TLS renegotiation vulnerability, CVE-2009-3555. A
+# specific defense against this attack was added to mod_ssl in
+# r891282. For more information, see the dev@httpd thread beginning
+# at message ID <4B01BD20.1060300@adnovum.ch>.
+
+Apache::TestRequest::set_client_cert("client_ok");
+
+Apache::TestRequest::module('mod_ssl');
+
+my $sock = Apache::TestRequest::vhost_socket('mod_ssl');
+
+if ($sock && $sock->connected && $sock->get_sslversion() eq "TLSv1_3") {
+ skip "Skipping test for TLSv1.3" foreach(1..4);
+ exit;
+}
+
+ok $sock && $sock->connected;
+
+
+my $req = "GET /require/asf/ HTTP/1.1\r\n".
+ "Host: " . Apache::TestRequest::hostport() . "\r\n".
+ "\r\n".
+ "GET /this/is/a/prefix/injection/attack HTTP/1.0\r\n".
+ "Host: " . Apache::TestRequest::hostport() . "\r\n".
+ "\r\n";
+
+ok $sock->print($req);
+
+my $line = Apache::TestRequest::getline($sock) || '';
+
+ok t_cmp($line, qr{^HTTP/1\.. 200}, "read first response-line");
+
+my $rv = 0;
+
+do {
+ $line = Apache::TestRequest::getline($sock) || '';
+ $line = super_chomp($line);
+ print "# line: $line\n";
+ if ($line eq "Connection: close") {
+ $rv = 1;
+ }
+} until ($line eq "");
+
+ok $rv, 1, "expected Connection: close header in response";
+
+sub super_chomp {
+ my ($body) = shift;
+
+ ## super chomp - all leading and trailing \n (and \r for win32)
+ $body =~ s/^[\n\r]*//;
+ $body =~ s/[\n\r]*$//;
+ ## and all the rest change to spaces
+ $body =~ s/\n/ /g;
+ $body =~ s/\r//g; #rip out all remaining \r's
+
+ $body;
+}
diff --git a/debian/perl-framework/t/security/CVE-2011-3368-rewrite.t b/debian/perl-framework/t/security/CVE-2011-3368-rewrite.t
new file mode 100644
index 0000000..4107be0
--- /dev/null
+++ b/debian/perl-framework/t/security/CVE-2011-3368-rewrite.t
@@ -0,0 +1,23 @@
+use strict;
+use warnings FATAL => 'all';
+
+use Apache::Test;
+use Apache::TestRequest;
+use Apache::TestUtil;
+
+plan tests => 3, need 'rewrite';
+
+Apache::TestRequest::module("cve_2011_3368_rewrite");
+
+my $sock = Apache::TestRequest::vhost_socket();
+ok $sock && $sock->connected;
+
+my $req = "GET @"."localhost/foobar.html HTTP/1.1\r\n".
+ "Host: " . Apache::TestRequest::hostport() . "\r\n".
+ "\r\n";
+
+ok $sock->print($req);
+
+my $line = Apache::TestRequest::getline($sock) || '';
+
+ok t_cmp($line, qr{^HTTP/1\.. 400 Bad Request}, "got 400 error");
diff --git a/debian/perl-framework/t/security/CVE-2011-3368.t b/debian/perl-framework/t/security/CVE-2011-3368.t
new file mode 100644
index 0000000..bbedc79
--- /dev/null
+++ b/debian/perl-framework/t/security/CVE-2011-3368.t
@@ -0,0 +1,23 @@
+use strict;
+use warnings FATAL => 'all';
+
+use Apache::Test;
+use Apache::TestRequest;
+use Apache::TestUtil;
+
+plan tests => 3, need 'proxy', need_min_apache_version('2.2.5');
+
+Apache::TestRequest::module("cve_2011_3368");
+
+my $sock = Apache::TestRequest::vhost_socket();
+ok $sock && $sock->connected;
+
+my $req = "GET @"."localhost/foobar.html HTTP/1.1\r\n".
+ "Host: " . Apache::TestRequest::hostport() . "\r\n".
+ "\r\n";
+
+ok $sock->print($req);
+
+my $line = Apache::TestRequest::getline($sock) || '';
+
+ok t_cmp($line, qr{^HTTP/1\.. 400 Bad Request}, "got 400 error");
diff --git a/debian/perl-framework/t/security/CVE-2017-7659.t b/debian/perl-framework/t/security/CVE-2017-7659.t
new file mode 100644
index 0000000..690922d
--- /dev/null
+++ b/debian/perl-framework/t/security/CVE-2017-7659.t
@@ -0,0 +1,28 @@
+use strict;
+use warnings FATAL => 'all';
+
+use Apache::Test;
+use Apache::TestUtil;
+use Apache::TestRequest;
+
+plan tests => 2,
+ need(
+ need_module('http2')
+ );
+
+my $module = "h2c";
+Apache::TestRequest::module($module);
+
+my $sock = Apache::TestRequest::vhost_socket($module);
+ok $sock;
+
+# Thanks to Javier Jimenez for this test case.
+Apache::TestRequest::socket_trace($sock);
+$sock->print("p * HTTP/1.0\r\n"
+ . "Connection:H/\r\n"
+ . "Upgrade:h2c\r\n"
+ . "HTTP2-Settings:\r\n\r\n");
+
+# The server should not have crashed -- getc() should return *something*.
+ok $sock->getc();
+$sock->close();
diff --git a/debian/perl-framework/t/security/CVE-2019-0215.t b/debian/perl-framework/t/security/CVE-2019-0215.t
new file mode 100644
index 0000000..978c1ef
--- /dev/null
+++ b/debian/perl-framework/t/security/CVE-2019-0215.t
@@ -0,0 +1,47 @@
+use strict;
+use warnings FATAL => 'all';
+
+use Apache::Test;
+use Apache::TestUtil;
+use Apache::TestRequest;
+
+my $vars = Apache::Test::vars();
+
+plan tests => 2, need $vars->{ssl_module_name}, need_lwp,
+ qw(LWP::Protocol::https);
+
+my $r;
+
+Apache::TestRequest::user_agent(ssl_opts => {SSL_version => 'TLSv13'});
+Apache::TestRequest::scheme('https');
+Apache::TestRequest::module('ssl_optional_cc');
+
+$r = GET "/require/none/";
+my $tls13_works = $r->is_success;
+
+# Forget the above user agent settings, start fresh
+Apache::TestRequest::user_agent(reset => 1);
+
+# If TLS 1.3 worked, run the tests using it and expect 403.
+# Older TLS versions seem to show the TLS alert client side as a 500.
+my $expected_status;
+if ($tls13_works) {
+ Apache::TestRequest::user_agent(ssl_opts => {SSL_version => 'TLSv13'});
+ $expected_status = 403;
+ t_debug "Using TLSv13, expecting status 403";
+} else {
+ t_debug "Using TLS before TLSv13, expecting status 500";
+ $expected_status = 500;
+}
+
+Apache::TestRequest::user_agent_keepalive(1);
+Apache::TestRequest::scheme('https');
+Apache::TestRequest::module('ssl_optional_cc');
+
+$r = GET "/require/any/";
+
+ok t_cmp($r->code, $expected_status, "first access denied without client cert");
+
+$r = GET "/require/any/";
+
+ok t_cmp($r->code, $expected_status, "second access denied without client cert");
diff --git a/debian/perl-framework/t/security/CVE-2020-1927.t b/debian/perl-framework/t/security/CVE-2020-1927.t
new file mode 100644
index 0000000..523feb6
--- /dev/null
+++ b/debian/perl-framework/t/security/CVE-2020-1927.t
@@ -0,0 +1,60 @@
+use strict;
+use warnings FATAL => 'all';
+
+use Apache::Test;
+use Apache::TestRequest;
+use Apache::TestUtil;
+use MIME::Base64;
+use Data::Dumper;
+use HTTP::Response;
+use Socket;
+
+plan tests => 1, need_min_apache_version('2.4.42');
+
+my $sock = Apache::TestRequest::vhost_socket("core");
+if (!$sock) {
+ print "# failed to connect\n";
+ ok(0);
+ next;
+}
+
+my $req = sprintf "GET /CVE-2020-1927/%%0D%%0Ahttp://127.0.0.1/ HTTP/1.1\r\nHost: merge-disabled\r\nConnection: close\r\n\r\n";
+print "# SENDING to " . peer($sock) . "\n# $req\n";
+$sock->print("$req");
+$sock->flush();
+sleep(0.1);
+$req = escape($req);
+print "# SENDING to " . peer($sock) . "\n# $req\n";
+
+my $response_data = "";
+my $buf;
+while ($sock->read($buf, 10000) > 0) {
+ $response_data .= $buf;
+}
+my $response = HTTP::Response->parse($response_data);
+if (! defined $response) {
+ die "HTTP::Response->parse failed";
+}
+ok t_cmp($response->code, 404, "regex didn't match and redirect");
+
+sub escape
+{
+ my $in = shift;
+ $in =~ s{\\}{\\\\}g;
+ $in =~ s{\r}{\\r}g;
+ $in =~ s{\n}{\\n}g;
+ $in =~ s{\t}{\\t}g;
+ $in =~ s{([\x00-\x1f])}{sprintf("\\x%02x", ord($1))}ge;
+ return $in;
+}
+
+sub peer
+{
+ my $sock = shift;
+ my $hersockaddr = getpeername($sock);
+ return "<disconnected>" if !$hersockaddr;
+ my ($port, $iaddr) = sockaddr_in($hersockaddr);
+ my $herhostname = gethostbyaddr($iaddr, AF_INET);
+ my $herstraddr = inet_ntoa($iaddr);
+ return "$herstraddr:$port";
+}