# r1807754 (r1807655 from trunk)
#
# SECURITY (CVE-2017-9798)
#
# core: Disallow Methods' registration at run time (.htaccess), they may be
# used only if registered at init time (httpd.conf).
# 
# Calling ap_method_register() in children processes is not the right scope
# since it won't be shared for all requests.
#
Index: server/core.c
===================================================================
--- server/core.c	(revision 1801041)
+++ server/core.c	(working copy)
@@ -2262,6 +2262,12 @@ AP_CORE_DECLARE_NONSTD(const char *) ap_limit_sect
             /* method has not been registered yet, but resource restriction
              * is always checked before method handling, so register it.
              */
+            if (cmd->pool == cmd->temp_pool) {
+                /* In .htaccess, we can't globally register new methods. */
+                return apr_psprintf(cmd->pool, "Could not register method '%s' "
+                                   "for %s from .htaccess configuration",
+                                    method, cmd->cmd->name);
+            }
             methnum = ap_method_register(cmd->pool,
                                          apr_pstrdup(cmd->pool, method));
         }