SECURITY: CAN-2004-0811 (cve.mitre.org)

Fix merging of the Satisfy directive, which was applied to
the surrounding context and could allow access despite configured
authentication.  (a regression in 2.0.51)

PR: 31315
Submitted by:	Rici Lake <rici ricilake.net>

--- httpd-2.0/server/core.c	2004/08/31 08:16:56	1.225.2.27
+++ httpd-2.0/server/core.c	2004/09/21 13:21:16	1.225.2.28
@@ -351,9 +351,13 @@
     /* Otherwise we simply use the base->sec_file array
      */
 
+    /* use a separate ->satisfy[] array either way */
+    conf->satisfy = apr_palloc(a, sizeof(*conf->satisfy) * METHODS);
     for (i = 0; i < METHODS; ++i) {
         if (new->satisfy[i] != SATISFY_NOSPEC) {
             conf->satisfy[i] = new->satisfy[i];
+        } else {
+            conf->satisfy[i] = base->satisfy[i];
         }
     }