Author: jorton
Date: Fri Jan 13 06:21:42 2006
New Revision: 368730

URL: http://svn.apache.org/viewcvs?rev=368730&view=rev
Log:
Merge r354394 from trunk:

* modules/ssl/ssl_engine_kernel.c (ssl_hook_Access): Omit further
access control checks if SSL is not in use regardless of vhost
settings.

Submitted by: Rüdiger Plüm, Joe Orton
Reviewed by: rpluem, jorton, jim
PR: 37791

--- httpd-2.2.0/modules/ssl/ssl_engine_kernel.c.cve3357
+++ httpd-2.2.0/modules/ssl/ssl_engine_kernel.c
@@ -202,11 +202,14 @@
     }
 
     /*
-     * Check to see if SSL protocol is on
+     * Check to see whether SSL is in use; if it's not, then no
+     * further access control checks are relevant.  (the test for
+     * sc->enabled is probably strictly unnecessary)
      */
-    if (!((sc->enabled == SSL_ENABLED_TRUE) || (sc->enabled == SSL_ENABLED_OPTIONAL) || ssl)) {
+    if (sc->enabled == SSL_ENABLED_FALSE || !ssl) {
         return DECLINED;
     }
+
     /*
      * Support for per-directory reconfigured SSL connection parameters.
      *