Re: [users@httpd] mod_authz_dbd regression in apache 2.4.12?

Wed, 13 May 2015 04:45:38 -0700 

Committed in http://svn.apache.org/r1679181 (and r1679182 for CHANGES entry).
Backport to 2.4.x proposed in r1679183 (including Jan's r1663647).

On Tue, May 12, 2015 at 1:46 PM, Yann Ylavic <ylavic....@gmail.com> wrote:
> (CC'ing Michel, sorry for the resend, my initial omission)
>
> On Tue, May 12, 2015 at 10:41 AM, Yann Ylavic <ylavic....@gmail.com> wrote:
>> This as been raised on users@.
>>
>> ---------- Forwarded message ----------
>> From: Yann Ylavic <ylavic....@gmail.com>
>> Date: Tue, May 12, 2015 at 10:09 AM
>>
>> On Mon, May 11, 2015 at 10:54 PM, Michel Stam <mic...@reverze.net> wrote:
>>>
>>> I was tinkering over the weekend with mod_authz_dbd and mysql, and i could 
>>> not get a RequireAny/RequireAll to match on multiple Require dbd-group 
>>> statements.
>>> It would always match only the last result from the query, but once for 
>>> every row in the resultset.
>>>
>>> Example:
>>>         <LocationMatch "/(?<name>[^/]+)/">
>>>                 <RequireAny>
>>>                         Require         user %{env:MATCH_NAME}
>>>                         Require         dbd-group %{env:MATCH_NAME}
>>>                         Require         dbd-group Administrators
>>>                 </RequireAny>
>>>         </LocationMatch>
>>>
>>> After some searching, it appeared to me to be a regression of this:
>>> https://bz.apache.org/bugzilla/show_bug.cgi?id=46421
>>
>> The fix mentioned there is about APR's dbd (mysql) code but has never
>> been pushed to a release (the bugzilla report is still open).
>> As already discussed in [1] (with a simililar fix for mod_authn_dbd in
>> [2]), I don't think it should be addressed in APR though (but in httpd
>> as you and the OP of bugzilla #46421 proposed).
>>
>> There also seems to be other misuses of apr_dbd_get_entry() returned
>> values in httpd, I'll start a thread on the dev@ mailing-list and
>> propose a fix.
>>
>> [1] http://www.mail-archive.com/dev@apr.apache.org/msg26024.html
>> [2] http://svn.apache.org/r1663647
>>
>> ---------- End of forwarded message ----------
>>
>> The issue is that apr_dbd_get_row()'s entries (usually pointed to by
>> apr_dbd_get_entry(), depending on dbd though) get destroyed whenever
>> apr_dbd_get_row() returns -1 (no more rows in iterative mode).
>>
>> This seem to be the case for several dbd systems implemented in APR,
>> so I think we should take care of the entries' lifetime when used
>> after an apr_dbd_get_row() loop.
>> Thus, I think the attached patch should be applied, thoughts?
>>
>> PS: there are also APR dbd systems where the entries are duplicated on
>> the apr_dbd_results' pool, so APR is not really consistent...

Reply via email to