Re: svn commit: r1856807 - /httpd/test/framework/trunk/t/security/CVE-2019-0215.t

Sun, 04 Aug 2019 14:14:57 -0700 


On 8/4/2019 3:30 AM, Rainer Jung wrote:
> Hi there,
>
> this one fails for me when the server uses OpenSSL 1.1.1 (no other
> variant tested yet) but the client uses something before 1.1.1. In
> this case I get Status 500 instead of the expected 403 in the client.
>
> Another older test t/security/CVE-2005-2700.t uses
>
> ok !t_cmp($r->code, 200, "...
>
> instead of
>
> ok t_cmp($r->code, 403, "...
>
> used in the new test. Do others observe the same problem? Should we
> relax the condition on 403 or 500, or is it necessary to only relax if
> client isn't using 1.1.1 (or maybe depending on effective TLS version)?

I also see the same problem. The 500 must be coming from the LWP client
rather than httpd, though, as httpd does log the 403. I would prefer to
skip the test for non-compatible clients rather than for the internal
client error to be treated as a "pass" of a test it cannot run.

-- 
Daniel Ruggeri

>
> Regards,
>
> Rainer
>
> Am 02.04.2019 um 12:44 schrieb jor...@apache.org:
>> Author: jorton
>> Date: Tue Apr  2 10:44:12 2019
>> New Revision: 1856807
>>
>> URL: http://svn.apache.org/viewvc?rev=1856807&view=rev
>> Log:
>> Add test case for CVE-2019-0215.
>>
>> Added:
>>      httpd/test/framework/trunk/t/security/CVE-2019-0215.t
>>
>> Added: httpd/test/framework/trunk/t/security/CVE-2019-0215.t
>> URL:
>> http://svn.apache.org/viewvc/httpd/test/framework/trunk/t/security/CVE-2019-0215.t?rev=1856807&view=auto
>> ==============================================================================
>>
>> --- httpd/test/framework/trunk/t/security/CVE-2019-0215.t (added)
>> +++ httpd/test/framework/trunk/t/security/CVE-2019-0215.t Tue Apr  2
>> 10:44:12 2019
>> @@ -0,0 +1,26 @@
>> +use strict;
>> +use warnings FATAL => 'all';
>> +
>> +use Apache::Test;
>> +use Apache::TestUtil;
>> +use Apache::TestRequest;
>> +
>> +my $vars = Apache::Test::vars();
>> +
>> +plan tests => 2, need $vars->{ssl_module_name}, need_lwp,
>> +    qw(LWP::Protocol::https);
>> +
>> +Apache::TestRequest::user_agent_keepalive(1);
>> +Apache::TestRequest::scheme('https');
>> +Apache::TestRequest::module('ssl_optional_cc');
>> +
>> +my $r;
>> +
>> +$r = GET "/require/any/";
>> +
>> +ok t_cmp($r->code, 403, "first access denied without ccert");
>> +
>> +$r = GET "/require/any/";
>> +
>> +ok t_cmp($r->code, 403, "second access denied without ccert");
>> +

Reply via email to