On 03/01/2015 03:37 PM, [email protected] wrote: > Author: minfrin > Date: Sun Mar 1 14:37:11 2015 > New Revision: 1663123 > > URL: http://svn.apache.org/r1663123 > Log: > mod_authn_core: Add expression support to AuthName and AuthType. > > Modified: > httpd/httpd/trunk/CHANGES > httpd/httpd/trunk/docs/manual/expr.xml > httpd/httpd/trunk/docs/manual/mod/mod_authn_core.xml > httpd/httpd/trunk/modules/aaa/mod_authn_core.c
This causes a test case in the framework to fail. I guess just the test case is wrong, but it should be fixed: # Running under perl version 5.010001 for linux # Current time local: Fri Mar 6 16:32:45 2015 # Current time GMT: Fri Mar 6 15:32:45 2015 # Using Test.pm version 1.25_02 # Using Apache/Test.pm version 1.38 # testing : CAN-2004-0747 ap_resolve_env test case # expected: 200 # received: '500' not ok 1 # Failed test 1 in t/security/CVE-2004-0747.t at line 14 Failed 1/1 subtests Test Summary Report ------------------- t/security/CVE-2004-0747.t (Wstat: 0 Tests: 1 Failed: 1) Failed test: 1 Files=1, Tests=1, 0 wallclock secs ( 0.01 usr 0.01 sys + 0.36 cusr 0.07 csys = 0.45 CPU) Result: FAIL Failed 1/1 test programs. 1/1 subtests failed. error_log: [Fri Mar 06 15:32:45.428836 2015] [core:alert] [pid 10177:tid 140546563634944] [client 127.0.0.1:40823] /usr/src/apache/perl-framework-trunk/t/htdocs/security/CAN-2004-0747/.htaccess: Cannot parse expression ' This is also reminds me that this could slow down .htaccess processing considerably since we need to parse the expression for each request where we have a .htaccess with this directive in place. Furthermore do we open up any stuff that malicious users with access to .htaccess could do with expressions that they are not expected to do? If so is it possible to limit expression support just to the case the directive is not in .htaccess? Regards RĂ¼diger
