# r1807754 (r1807655 from trunk)
#
# SECURITY (CVE-2017-9798)
#
# core: Disallow Methods' registration at run time (.htaccess), they may be
# used only if registered at init time (httpd.conf).
# 
# Calling ap_method_register() in children processes is not the right scope
# since it won't be shared for all requests.
#
Index: server/core.c
===================================================================
--- server/core.c.orig	2017-09-21 13:09:51.305613945 -0500
+++ server/core.c	2017-09-21 13:12:29.467996152 -0500
@@ -1809,6 +1809,12 @@
             /* method has not been registered yet, but resorce restriction
              * is always checked before method handling, so register it.
              */
+            if (cmd->pool == cmd->temp_pool) {
+                /* In .htaccess, we can't globally register new methods. */
+                return apr_psprintf(cmd->pool, "Could not register method '%s' "
+                                   "for %s from .htaccess configuration",
+                                    method, cmd->cmd->name);
+            }
             methnum = ap_method_register(cmd->pool, method);
         }