Fixes "options bleed", aka. CVE-2017-9798: https://nvd.nist.gov/vuln/detail/CVE-2017-9798 https://blog.fuzzing-project.org/60-Optionsbleed-HTTP-OPTIONS-method-can-leak-Apaches-server-memory.html From . --- a/server/core.c 2017/08/16 16:50:29 1805223 +++ b/server/core.c 2017/09/08 13:13:11 1807754 @@ -2266,6 +2266,12 @@ /* method has not been registered yet, but resource restriction * is always checked before method handling, so register it. */ + if (cmd->pool == cmd->temp_pool) { + /* In .htaccess, we can't globally register new methods. */ + return apr_psprintf(cmd->pool, "Could not register method '%s' " + "for %s from .htaccess configuration", + method, cmd->cmd->name); + } methnum = ap_method_register(cmd->pool, apr_pstrdup(cmd->pool, method)); }