apache2.{desc, pm}: Avoid false positives in apache2-deprecated-auth-config where the offending lines are wrapped in suitable "IfModule" or "IfVersion" directives. (Closes: #788991, 710656)

Chris Lamb Sat, 30 Dec 2017 14:59:59 -0800

This is an automated email from the git hooks/post-receive script.

lamby pushed a commit to branch master
in repository lintian.


commit c05154fa1ddb3f665b8dba6581a33d6a04f20c18
Author: Chris Lamb <[email protected]>
Date:   Sat Dec 30 22:57:40 2017 +0000

    checks/apache2.{desc,pm}: Avoid false positives in 
apache2-deprecated-auth-config where the offending lines are wrapped in 
suitable "IfModule" or "IfVersion" directives. (Closes: #788991, 710656)
---
 checks/apache2.desc                                          |  4 ++++
 checks/apache2.pm                                            |  7 ++++++-
 debian/changelog                                             |  5 ++++-
 .../debian/debian/phpmyfoo2.install                          |  1 +
 .../debian/false-positives.conf                              | 12 ++++++++++++
 t/tests/apache2-webapplications-general/tags                 |  1 +
 6 files changed, 28 insertions(+), 2 deletions(-)

diff --git a/checks/apache2.desc b/checks/apache2.desc
index 437a5a2..60115dc 100644
--- a/checks/apache2.desc
+++ b/checks/apache2.desc
@@ -144,3 +144,7 @@ Info: The package is using some of the deprecated 
authentication configuration
  semantics. The configuration directives should be replaced with a suitable
  combination of &lt;RequireAll&gt;, &lt;RequireAny&gt;, Require all, Require 
local,
  Require ip, and Require method.
+ .
+ Alternatively, the offending lines can be wrapped between
+ &lt;IfModule !mod_authz_core.c&gt; ... &lt;/IfModule&gt; or
+ &lt;IfVersion &lt; 2.3&gt; ... &lt;/IfVersion&gt; directives.
diff --git a/checks/apache2.pm b/checks/apache2.pm
index d14e779..843fbcb 100644
--- a/checks/apache2.pm
+++ b/checks/apache2.pm
@@ -224,11 +224,15 @@ sub inspect_conf_file {
     # Don't follow unsafe links
     return if not $file->is_open_ok;
     my $fd = $file->open;
+    my $skip = 0;
     while (<$fd>)  {
+        $skip++
+          if m{<\s*IfModule.*!\s*mod_authz_core}
+          or m{<\s*IfVersion\s+<\s*2\.3};
 
         for my $directive ('Order', 'Satisfy', 'Allow', 'Deny',
             qr{</?Limit.*?>}xsm, qr{</?LimitExcept.*?>}xsm) {
-            if (m{\A \s* ($directive) (?:\s+|\Z)}xsm) {
+            if (m{\A \s* ($directive) (?:\s+|\Z)}xsm and not $skip) {
                 tag 'apache2-deprecated-auth-config', $file, "(line $.)", $1;
             }
         }
@@ -246,6 +250,7 @@ sub inspect_conf_file {
             }
         }
 
+        $skip-- if m{<\s*/\s*If(Module|Version)};
     }
     close($fd);
     return;
diff --git a/debian/changelog b/debian/changelog
index 6d63866..61c5cf7 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -2,9 +2,12 @@ lintian (2.5.67) UNRELEASED; urgency=medium
 
   XXX: generate tag summary
 
-  * checks/apache2.pm:
+  * checks/apache2.{desc,pm}:
     + [CL] Include the offending filename and line number in the output of
       apache2-deprecated-auth-config and apache2-unparsable-dependency.
+    + [CL] Avoid false positives in apache2-deprecated-auth-config where
+      the offending lines are wrapped in suitable "IfModule" or "IfVersion"
+      directives.  (Closes: #788991, 710656)
   * checks/changelog-file.{desc,pm}:
     + [CL] Warn about changelog entries that have incorrectly formatted
       dates.  (Closes: #793406)
diff --git 
a/t/tests/apache2-webapplications-general/debian/debian/phpmyfoo2.install 
b/t/tests/apache2-webapplications-general/debian/debian/phpmyfoo2.install
index d47d625..b2da1d6 100644
--- a/t/tests/apache2-webapplications-general/debian/debian/phpmyfoo2.install
+++ b/t/tests/apache2-webapplications-general/debian/debian/phpmyfoo2.install
@@ -1,2 +1,3 @@
 phpmyfoo2              /etc/apache2/conf-available
 local-phpmyfoo2.conf   /etc/apache2/conf-available
+false-positives.conf   /etc/apache2/conf-available
diff --git 
a/t/tests/apache2-webapplications-general/debian/false-positives.conf 
b/t/tests/apache2-webapplications-general/debian/false-positives.conf
new file mode 100644
index 0000000..e54f470
--- /dev/null
+++ b/t/tests/apache2-webapplications-general/debian/false-positives.conf
@@ -0,0 +1,12 @@
+Alias /foo /usr/share/foo
+
+<Directory /usr/share/foo>
+  <IfModule !mod_authz_core.c>
+    Order deny, allow
+    Require valid-user
+  </IfModule>
+  <IfVersion < 2.3>
+    Order deny, allow
+    Require valid-user
+  </IfVersion>
+</Directory>
diff --git a/t/tests/apache2-webapplications-general/tags 
b/t/tests/apache2-webapplications-general/tags
index 58a32e3..bc48287 100644
--- a/t/tests/apache2-webapplications-general/tags
+++ b/t/tests/apache2-webapplications-general/tags
@@ -1,4 +1,5 @@
 E: phpmyfoo2: apache2-configuration-files-need-conf-suffix 
etc/apache2/conf-available/phpmyfoo2
+W: phpmyfoo2: non-standard-apache2-configuration-name false-positives.conf != 
phpmyfoo2.conf
 W: phpmyfoo2: non-standard-apache2-configuration-name local-phpmyfoo2.conf != 
phpmyfoo2.conf
 W: phpmyfoo2: non-standard-apache2-configuration-name phpmyfoo2 != 
phpmyfoo2.conf
 W: phpmyfoo3: apache2-deprecated-auth-config etc/apache2/conf.d/phpmyfoo.conf 
(line 11) </Limit>

-- 
Alioth's /usr/local/bin/git-commit-notice on 
/srv/git.debian.org/git/lintian/lintian.git

[lintian] 02/02: checks/apache2.{desc, pm}: Avoid false positives in apache2-deprecated-auth-config where the offending lines are wrapped in suitable "IfModule" or "IfVersion" directives. (Closes: #788991, 710656)

Reply via email to