Re: Migrate to git?

[Jose Kahan]

On Sat, Oct 05, 2019 at 04:09:34PM -0400, Jim Jagielski wrote:
> Various PMCs have made their default/de-facto SCM git and have seen an 
> increase in contributions and contributors...
> 
> Is this something the httpd project should consider? Especially w/ the 
> foundation officially supporting Github, it seems like time to have a 
> discussion about it, especially as we start thinking about the next 25 years 
> of this project :)
> 

Hi,

At W3C, all the Working Group spec as well as some developer work has 
moved on over to github.  We use github's hooks API to connect actions 
on github repositories with our mailing lists and other aspects of the 
main server.

Yes, git and github may have a steeper learning curve that svn, 
but people now seem satisfied with the current workflow.

Yes, having this kind of work hosted at github has increased
its visibility and getting unexpected external contributions.

For the record, part of this change of system required migrating 
CVS repositories from our servers at W3C to github, while preserving
all the history of commits and names of commiteers, using readily
available tools. There were some incompatibilities between CVS unmerged
branches, though, and we had to take decisions in that case. This may
not be the case for SVN. 

Another important reason that pushed for this migration is that CVS
clients are becoming less available across platforms. I'm not sure
if that's the same situation for SVN, although I see there are still
recent releases of it. It helps it's hosted at ASF.

For simplicity, from here one I will use "apache" to refer to the
httpd server.

I think that one step for migrating apache to github would require
your writing down a list of things you need from a DRCS and then
working on how to map them to github.

One thing that I find important is that you evaluate how you're
going to handle contributions, or, in git parlance, merge requests (MR).
These are public visible in the repository. Having too many hanging
out without closure doesn't speak well for a project. I talk of this
from experience of seeing that bug reportss and proposed bug fixes are 
quickly fixed and integrated into apache (Thanks Yann!),  however,
proposal for extensions of existing modules, even when developed in
consultation with the list, just go dormant and require multiple
prodding today and even like that, the hit ratio is really low in my
opinion. After I while this just demotivated me from continuing proposing
them to this list and just stick to the ocassional bug report / patches..
See for example the latest one, dating from 2015 [1]. When this
happens in github, the result may be that someone forks your project
and makes a new one out of it.

Another thing from the migration that I think you should consider
is what you're going to do with your existing bugzilla content.
Are you going to keep using it or use the github issues for that?
Are you going to migrate open issues there? How about the links
in reports pointing to your svn repository?

Finally, as much as migrating to github can be interesting, you must
also consider not being tied to github in case any future policy changes
don't please you. You must be prepared to be able to migrate to another
system if needed and see how much of the github environment can follow you.
Can the issues follow you? How about the discussions in github? etc.
What parts of github are you going to use, which ones disable (and can
they be disabled?).

Other alternatives for github are gitlab. You can install an instance
of gitlab locally or use their repository. Upon the announcement of
MS buying github, some projects migrated to gitlab.

If it may help, I can put you in contact with the people in our
team that can describe more in detail how W3C is using github today,
the hooks, CI,  how we backup it, and the advantages and limitations we
have found so far.

Hope this feedback helps,

--josé

[1] https://bz.apache.org/bugzilla/show_bug.cgi?id=58025

Re: PHP test cases

[Jose Kahan]

On Tue, Nov 21, 2017 at 04:31:57PM -0600, Daniel Ruggeri wrote:
> 
> Also, t/php/getlastmod.t fails because of a warning[2] unless php.ini
> has been set to explicitly declare a timezone (unsure of which version
> PHP made this a warning). Should we modify our php script or modify the
> comparison to be a match that includes the month? My workaround was to
> create a php.ini on the fly but we ought to handle this better in the code.

See:

http://php.net/manual/en/function.date-default-timezone-set.php

You need to set that value, either thru that function or thru php.ini.
Are you invoking the testsuite from php cli?

Hope this helps.

--josé

Re: modules.apache.org is down

[Jose Kahan]

On Wed, Mar 15, 2017 at 05:36:47PM +0100, Jose Kahan wrote:
> 
> It's been a couple of months (if not more) that the 3rd party
> module repo is unavailable. the last discussion I saw about
> this site dates from Nov 2016, where people were talking about
> moderation, spambots, and making a new system.

I meant Nov. 2015.

--josé

modules.apache.org is down

[Jose Kahan]

Hi,

It's been a couple of months (if not more) that the 3rd party
module repo is unavailable. the last discussion I saw about
this site dates from Nov 2016, where people were talking about
moderation, spambots, and making a new system.

Are you planning to bring it back online? Otherwise, it would
be better to remove the link that points to it from this page:

  https://modules.apache.org/

I hope it comes back! 

Cheers,

--josé

mod_index : missing Content-Location header

[Jose Kahan]

Hi,

Best wishes for 2016!

Does anyone know why mod_dir doesn't generate a Content-Location
header when a URI ending in "/" is requested? This is a behavior
that is common in 2.2 and 2.4.

For some publishing tools, it's useful to know what's the actual
URI that's mapped to "/" thru DirectoryIndex.

I can contribute time to propose a patch that does this. I can
either add this as an in-built feature to mod_dir with configuration
options to disable it or as an optional hook tha's called once 
there's a positive match for a DirectoryIndex entry.

Any comments?

Thanks!

-jose

Re: Weird interaction between mod_dir and [P] rewrites

[Jose Kahan]

Eric,

On Tue, Nov 24, 2015 at 01:37:09PM -0500, Eric Covener wrote:
> Tried DirectoryCheckHandler? It's a 2.2-vs-2.4 difference discovered a
> little too late to change by default.

Thank you very much. That fixed my issue. I wonder if it would be
interesting to add a note about this change in behavior and
the directive in [1].

Thank you again for your promt reply.

Cheers,

-jose

[1] http://httpd.apache.org/docs/2.4/upgrading.html

Weird interaction between mod_dir and [P] rewrites

[Jose Kahan]

Hi, 

This is something that has changed in 2.4 compared to 2.2.

When I follow the simple scenario (attached file) in a fresh 
install of apache, mod_dir is affecting the first value of 
DirectoryIndex to my request before it is being proxied. 

In 2.2, I was used to browse "https:/example,com/foo/" and have 
this being proxied to a backend as "https://example2.com/bar/";. 
But now in 2.4.7, mod_dir is first converting "/foo/" to
"/foo/index.html" and then sending the proxy request as
"/bar/index.html".

Do you know if this is an intended feature or a bug? I would
expect the backend, and not the frontend, to decide what
it wants to add to a url ending by "/".

The code in mod_dir has changed and there's a section with a comment
saying that it steps aside when it detects it is inside a mod_rewrite
fixup. It seems to be missing a provision for proxy requests.

rbowen helped me test this against 2.4.17/fedora. I tested it against
2.4.10/debian jessie with the same result.

Thanks! Cheers.

-jose
Scenario for mod_dir and mod_rewrite bug

Tested against 2.4.17 in a fresh fedora install (Thanks rbowen!)

I have this setup

   /foo/.htaccess
   /bar/echo.php

Server runs in localhost.

1. In your apache config, make sure you have the DirectoryIndex directive
   e.g. 
DirectoryIndex index.html

2. Put the following php script under /bar/echo.php Its goal is to echo 
the request URI. You can do it with another script if you want:

[[
$ cat echo.php

]]

3. Put this .htaccess under /foo/.htaccess 
[[
$ cat .htaccess
RewriteEngine on
RewriteBase /foo
RewriteRule ^(.*)$ http://localhost/bar/echo.php/$1 [P,L]
]]

4. Try the test

   GET -Se http://localhost/foo/

If you get back: 

   Requested: ...echo.php/index.html
   # index.html is the first value of my DirectoryIndex directive

You see the bug, mod_dir added the first value of DirectoryIndex 
before doing the proxy request.

Re: patch to mod_authz_dbd to handle query parameters

[Jose Kahan]

Hi,

Not having heard back since submitting this enhancement, I decided
to put it on github to share it with other people who may be 
interested by it [1]. I integrated the changes from [2] and used
2.4.17 as the "base version".

My original submission is [3].

Feel free to contact me if you are interested to integrate this
into apache and require further changes.

-jose

[1] https://github.com/jkbzh/apache2_mod_authz_dbd
[2] https://bz.apache.org/bugzilla/show_bug.cgi?id=57868
[3] https://bz.apache.org/bugzilla/show_bug.cgi?id=58025

Re: Re: patch to mod_authz_dbd to handle query parameters

[Jose Kahan]

Argh, I forgot to include the link to the message! Sorry about
that.

http://mail-archives.apache.org/mod_mbox/httpd-dev/201504.mbox/%3c20150428165148.ga17...@kiribati.inrialpes.fr%3E

-jk

Re: patch to mod_authz_dbd to handle query parameters

[Jose Kahan]

Hi!

A gentle reminder that I had submitted this patch and would like
to know if someone has had time to review it and/or would like
further modifications. 

Should I add a bugzilla entry so that it doesn't fall under the radar?

Thanks! Kudos.

-jk

patch to mod_authz_dbd to handle query parameters

[Jose Kahan]

Hi,

I realized that my last message was missing a part of the
info I had prepared. I'm resending it with a new subject
to make it clearer what it is.

I slightly revised the patch in that it had a unused variable.
I don't know why -Wc-Wunused didn't work with apxs2.

To compile and install the patch:

 apxs2  -i -a -c mod_authz_dbd.c

Looking forward to your feedback or RFE. More details here below.

I'm also opening a bug report for the dbd issue I found (and fixed
in this patch).

Cheers,

-jose

DETAILED REPORT


Work done:

- As discussed earlier in this thread, new require dbd-query directive
  for supporting query parameters.  If the query returns at least one
  row, we consider that access is granted.

- It's now possible to use query parameters for dbd-login and
  dbd-logout. If no parameter is given, the default value is
  %{REMOTE-USER} to keep backwards compatibility.

- While testing the changes for dbd-login, a server misconfiguration
  revealed a SIGSEV. If the dbd handle preparation fails due to a
  misconfiguration of the database server or the access rights to the
  table, the server logs something along these lines:

   AH00632: failed to prepare SQL statements: UPDATE command denied to 
   user 'foo'@'exampleorg' for table 'bar'

  As a consequence, the call to dbd_handle(r) returns NULL. However,
  in mod_authz_dbd, there was no control for the value of dbd before
  its being used in both authz_dbd_login() and authzdbd_group():

   ap_dbd_t *dbd = dbd_handle(r);
   ...
query = apr_hash_get(dbd->prepared, <--- SIGSEV

  I added a check to protect against this case.

Open issues:

- I wanted to control that the number of bind arguments correspond to
  those in the prepared request. However this value is not visible in
  apr_dbd_prepared_t *query.  Looking at the code in apr_dbd.c, I see
  that even though the number of bind arguments are being passed to
  apr_dbd_pselect() and apr_dbd_pquery() in nargs, this argument is
  discarded before calling the implementation of those functions in
  the driver.

  At least in the mysql driver, there is no further check that there
  is an equivalence between the bind and prepared statement
  arguments. In both cases there is just a call to

mysql_stmt_bind_param(statement->stmt, bind);

  which expects bind to have the correct number of arguments. I
  checked the sqlite3 driver and it has the same issue.

  If bind has more arguments, there is no issue. If there is less, we
  risk a SIGSEV or unexpected behavior.

  To avoid this issue, I wanted to control the number of arguments
  when parsing the configuration file and show a configuration error
  when necessary. However, as the prepared query goes into opaque
  driver implementations, I don't have access to its nargs value. Are
  there any ideas on how to get this info?  The only hack I could
  think of is counting the number of % inside the prepared query and
  making sure that we have the corresponding number of bind arguments.

- Would it be worth it to connect this module to mod_socache.c?

Other questions:

- In function dbd_parse_config, I was unable to decide whether it
  would be ok to use cmd->temp_pool instead of cmd->pool in my call to
  ap_getword_white()

- I am using ap_expr_parse_cmd() on each argument of the require
  dbd-query, dbd-login, and dbd-logout directives. I think this is
  akin to building an expression tree for each argument. Is there a
  more efficient way to do so?

Index: /tmp/httpd-trunk/modules/aaa/mod_authz_dbd.c
===
--- /tmp/httpd-trunk/modules/aaa/mod_authz_dbd.c	(revision 1676575)
+++ /tmp/httpd-trunk/modules/aaa/mod_authz_dbd.c	(working copy)
@@ -109,7 +109,45 @@
 {NULL}
 };
 
+static int evaluate_query_parameters(request_rec *r, 
+ const apr_array_header_t *parsed_require_args, 
+ const void **query_parameters)
+{
+int i;
+apr_array_header_t *qp;
+
+const ap_expr_info_t *expr = NULL;
+const char *parameter;
+
+const char *err = NULL;
+
+/* evaluate the query parameters in parsed_require_args */
+qp = apr_array_make(r->pool, 
+			parsed_require_args->nelts, 
+			sizeof (char *));
+
+for (i = 0; i < parsed_require_args->nelts; i++) {
+
+expr = ((const ap_expr_info_t **)parsed_require_args->elts)[i];
+parameter = ap_expr_str_exec(r, expr, &err);
+
+if (err) {
+ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO()
+  "authz_dbd in evaluate query_parameters: Can't "
+  "evaluate require expression: %s", err);
+return HTTP_INTERNAL_SERVER_ERROR;
+}
+
+*(const char **)apr_array_push(qp) = parameter;
+}
+
+*query_parameters = (void *)qp;
+
+return OK;
+}
+
 static int authz_dbd_login(request_rec *r, authz_dbd_cfg *cfg

Re: Extending mod_authz_dbd

[Jose Kahan]

Hi Graham,

Here's a first patch that adds the functionality that you suggested.

>   Require dbd-login %{REQUEST_URI} %{REQUEST_METHOD} %{REMOTE_USER}
>   AuthzDBDQuery "UPDATE authn SET uri = %s, method = %s WHERE user = %s”
>
>   Require dbd-logout %{TIME} %{REMOTE_USER}
>   AuthzDBDQuery "UPDATE authn SET logout_time = %s WHERE user = %s”
>
> To be backwards compatible, "Require dbd-login” on it’s own would imply 
> "Require dbd-login %{REMOTER_USER}”.
>
> One possible approach to support completely generic queries might be as 
> follows:
>
>   Require dbd-query %{REQUEST_URI} %{REMOTE_USER}
>   AuthzDBDQuery “SELECT count(user) FROM authn WHERE uri=%s AND user = %s”

Although I developed and tested this against the 2.4.10 source
tree (the latest debian jessie version), I checked and this 
module as well as mod_dbd.c have not changed since then neither 
in the latest 2.4.x nor in trunk. I don't think there will be 
an issue running it there.  Installing that environment over the 
default debian one could be a hazzle for me that I'd prefer
to avoid , but that I could do if needed.

Here below are some development notes.

Please keep me update if I can contribute something else to this
patch, that it be documentation or further changes. I understand
there's no engagement to accept this code from you. We can chat
on irc too if needed.

Cheers,

-jose

Open issues:

- I wanted to control that the number of bind arguments correspond to
  those in the prepared request. However this value is not visible in
  apr_dbd_prepared_t *query.  Looking at the code in apr_dbd.c, I see
  that even though the number of bind arguments are being passed to
  apr_dbd_pselect() and apr_dbd_pquery() in nargs, this argument is
  discarded before calling the implementation of those functions in
  the driver.

  At least in the mysql driver, there is no further check that there
  is an equivalence between the bind and prepared statement
  arguments. In both cases there is just a call to

mysql_stmt_bind_param(statement->stmt, bind);

  which expects bind to have the correct number of arguments. I
  checked the sqlite3 driver and it has the same issue.

  If bind has more arguments, there is no issue. If there is less, we
  risk a SIGSEV or unexpected behavior.

  To avoid this issue, I wanted to control the number of arguments
  when parsing the configuration file and show a configuration error
  when necessary. However, as the prepared query goes into opaque
  driver implementations, I don't have access to its nargs value. Are
  there any ideas on how to get this info?  The only hack I could
  think of is counting the number of % inside the prepared query and
  making sure that we have the corresponding number of bind arguments.

- Would it be worth it to connect this module to mod_socache.c?

Other questions:

- In function dbd_parse_config, I was unable to decide whether it
  would be ok to use cmd->temp_pool instead of cmd->pool in my call to
  ap_getword_white()

- I am using ap_expr_parse_cmd() on each argument of the require
  dbd-query, dbd-login, and dbd-logout directives. I think this is
  akin to building an expression tree for each argument. Is there a
  more efficient way to do so?
Index: mod_authz_dbd.c
===
--- mod_authz_dbd.c	(revision 1675706)
+++ mod_authz_dbd.c	(working copy)
@@ -109,7 +109,45 @@
 {NULL}
 };
 
+static int evaluate_query_parameters(request_rec *r, 
+ const apr_array_header_t *parsed_require_args, 
+ const void **query_parameters)
+{
+int i;
+apr_array_header_t *qp;
+
+const ap_expr_info_t *expr = NULL;
+const char *parameter;
+
+const char *err = NULL;
+
+/* evaluate the query parameters in parsed_require_args */
+qp = apr_array_make(r->pool, 
+			parsed_require_args->nelts, 
+			sizeof (char *));
+
+for (i = 0; i < parsed_require_args->nelts; i++) {
+
+expr = ((const ap_expr_info_t **)parsed_require_args->elts)[i];
+parameter = ap_expr_str_exec(r, expr, &err);
+
+if (err) {
+ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO()
+  "authz_dbd in evaluate query_parameters: Can't "
+  "evaluate require expression: %s", err);
+return HTTP_INTERNAL_SERVER_ERROR;
+}
+
+*(const char **)apr_array_push(qp) = parameter;
+}
+
+*query_parameters = (void *)qp;
+
+return OK;
+}
+
 static int authz_dbd_login(request_rec *r, authz_dbd_cfg *cfg,
+			   const void *parsed_require_args,
const char *action)
 {
 int rv;
@@ -120,12 +158,18 @@
 apr_dbd_prepared_t *query;
 apr_dbd_results_t *res = NULL;
 apr_dbd_row_t *row = NULL;
+apr_array_header_t *query_parameters;
 
 if (cfg->query == NULL) {
 ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(01

Re: Extending mod_authz_dbd

[Jose Kahan]

Hello Graham,

Thanks for your feedback. It all makes sense to me. 
Following your reasoning, the only directive that will have i
to stay as is for backwards compatibility will be require 
dbd-group, as it expects either no parameter or the value 
the query will return.

I had initially thought of only using one directive and
extracting the variables from the AuthzDBDQuery arguments, 
substituting them for %s and then preparing the request. Your
proposal is much simpler so I'll go with it.

I'm already looking at the code. Will keep you (and the list)
updated as soon as I have something to share.

Regards,

-jose

On Wed, Apr 15, 2015 at 11:17:04AM +0200, Graham Leggett wrote:
> 
> The limitations we’d have to work with is that all the queries are prepared 
> statements, and are reused for multiple requests. At the same time any query 
> that is interpreted purely as a string would need to be protected against SQL 
> injection.
 
>   Require dbd-login %{REQUEST_URI} %{REQUEST_METHOD} %{REMOTE_USER}
>   AuthzDBDQuery "UPDATE authn SET uri = %s, method = %s WHERE user = %s”
> 
>   Require dbd-logout %{TIME} %{REMOTE_USER}
>   AuthzDBDQuery "UPDATE authn SET logout_time = %s WHERE user = %s”
> 
> To be backwards compatible, "Require dbd-login” on it’s own would imply 
> "Require dbd-login %{REMOTER_USER}”.
> 
> One possible approach to support completely generic queries might be as 
> follows:
> 
>   Require dbd-query %{REQUEST_URI} %{REMOTE_USER}
>   AuthzDBDQuery “SELECT count(user) FROM authn WHERE uri=%s AND user = %s”
> 
> The bit above where you’d limit the requests to GET or POST you’d probably do 
> with Limit or LimitExcept.

Extending mod_authz_dbd

[Jose Kahan]

Hi,

We're preparing the migration to apache 2.4 and we're happy
to see that many features now available allow us to put to
rest most of our custom developed modules.

Looking at mod_authz_dbd, we would like to make a request
against a dbase passing different parameters (REQUEST_URI, 
REQUEST_METHOD, REMOTE_USER, ...) to support a fine-grained
ACL mechanism. However, this module doesn't seem to support
resolving those variables when preparing the SQL query. 
Looking at the code, the only one that seems supported is 
a hard-coded r->user in authz_dbd_group_query:

 rv = apr_dbd_pvselect(dbd->driver, r->pool, dbd->handle, &res,
   query, 0, r->user, NULL);

Is there any historical reason for this? Would you be interested
in our contributing time to extend this module to support more
generic queries such as (invented query)

require sql-query "SELECT * FROM foo WHERE user=${REMOTE_USER} 
   AND uri=${REQUEST_URI} AND ${REQUEST_METHOD} in
   ('GET', 'POST')"

While browsing for information regarding this point, I only
found people asking if this was possible, but no hints if there
had been (or will be) plans to do this.

The defunct mod_auth_mysql used to propose something similar. i
This module is not officially maintained anymore.

A possible point of confusion in the module's doc [1] is the 
phrase saying 

  "Since v2.4.8, expressions are supported within the DBD 
   require directives."

while the requires in the paragraphs below can't support expressions, 
as far as I can tell. I may be missing something.

Please keep me update if you'd be interested in this generic 
contribution, which we would be happy to make, rather than forking 
and maintaining a derived and non-generic patch to this module.

If you're interested, I'd appreciate some feedback on how the feature
should look like so that it's designed that way before coding it,
rather than coding, proposing the contribution and getting feedback
it wasn't what x had in mind.

Of course, it's understood that your showing interest for this doesn't 
mean you will end up accepting the contribution.

Thanks and KUDOS! Apache 2.4 rocks!

-jose

Re: Misleading example in Apache 2 doc (fix)

[Jose Kahan]

Hi André,

> language\s*=\s*([^;,\s]+)

Your expression works well and is simpler than mine.

+1 to update the doc with it instead of my proposal.

Thanks :)

-jose

Misleading example in Apache 2 doc (fix)

[Jose Kahan]

I didn't do my homework completely. According to
RFC 2910, Cookie tokens may be separated by
white space. The correct regular expression is:

[[
 SetEnvIf Cookie "language\s*=\s*([a-z|A-Z][a-z|A-Z|-]+)" prefer-language=$1
]]

Thanks!

-jose

Misleading example in Apache 2 doc

[Jose Kahan]

!

I'm not sure if I should mail this here or open a
new bugzilla report. Please advice.

The Content Negotiation doc is using a misleading
example in this section:

 http://httpd.apache.org/docs/2.2/content-negotiation.html#better

[[
 Example

 SetEnvIf Cookie "language=(.+)" prefer-language=$1
 Header append Vary cookie
]]


That regular expression won't work if the cookie has other attributes
in addition to the language one. One of our users got caught
by it. A quick search on the web shows that many people have had
this problem too.

Here's a correct regular expression that will return the language
attribute value, regardless of the contents of the cookie:

[[
SetEnvIf Cookie "language=([a-z|A-Z][a-z|A-Z|-]+)" prefer-language=$1
]]

The expression looks bigger because it takes into account not
only strings like "en", but also "zh-hans". I added upper and lower
case as cookies are case insensitive and I'm not sure if Apache converts
cookies to lower-case at some point. If it's always lower case,
we can simplify the regular expression to:

[[
SetEnvIf Cookie "language=([a-z][a-z|-]+)" prefer-language=$1
]]


Could you update the example in the doc accordingly?

Thanks!

-jose

Gentle reminder of outstanding contributed patches

[Jose Kahan]

Hi folks,

Per the patch submission suggestion # 1:

[[
  Be persistent but polite. Post to the developers list pointing out
  your patch and why you feel it is important. Feel free to do this
  about once a week and continue until you get a response. Just be sure
  to be polite about it, since the developers are unlikely to respond to
  rude messages.
]]

Here's a gentle reminder and summary of myoutstanding (as in
non-committed) patches (bug fixes, test procedures) that I've
submitted over the last couple of months.

If it may be easier for you, I published a page giving the status
and links to all of these patches on the apache bugzilla server:. 

  http://www.w3.org/2007/10/osc 

As always, feel free to ask any question or send feedback.

N.B. We have applied all of these patches to our production servers,
which are now 2.2.8. All of these patches were still needed.
I only had to change one to work against 2.2.8. The rest of the
patches work without changes on 2.2.8.

If it may be easier for you, I published a page giving links
to all of these patches inside bugzilla.

  http://www.w3.org/2007/10/osc

Best regards,

-jose

Patch: Restoring location walking in subrequests

 *  Summary: Apache is not using custom content-types when accessing
content-negotiated resources
 *  Apache bugzilla entry: 41960[5]
 *  Bug report submitted: Mar 2007
 *  Patch against trunk and 2.2.6 and 2.2.8 submitted: 6, 10 August 2007,
31 Jan 2008 [6]
 *  Status: patch committed to trunk on 13 Sep 2007; not yet available
in released server.

Test: location walking in subrequests

 *  Summary: Checks that directives stored in .htaccess files as well
as , , and  sections is taken into
account when handling subrequests. Complements PR 41960.
 *  Apache bugzilla entry: 43679[8]
 *  Patch against trunk submitted: 01-Oct-2007[9] (rev. version to
apache-dev[10]). Resubmitted: 23-Oct-2007 (bugzilla)
 *  Status: waiting for action from Apache-dev guys

Patch: mod_negotiation is not passing query strings and path info when
   using typemaps

 *  Summary: completes the work started on by PR 33112.
 *  Apache bugzilla entry: 43550[12]
 *  Bug report submitted: 4 Oct 2007
 *  Patch against trunk and 2.2.6 submitted: 11-Oct-2007[13] (rev.
version)
 *  Status: waiting for action from apache-dev guys

Patch: Removing dependency between mod_speling and the AcceptPathInfo
directive

  *  Summary: PR 21059 added this dependency. It is not needed anymore
 and has degraded the use of mod_speling because it introduces a
 hard dependency with the AcceptPathInfo directive.
  *  Apache bugzilla entry: 43562[18]
  *  Bug report submitted: 5 Oct 2007
  *  Patch against trunk and 2.2.6 submitted: 5 Oct 2007[19]
  *  Status: waiting for action from apache-dev guys

[5] http://issues.apache.org/bugzilla/show_bug.cgi?id=41960
[6] http://issues.apache.org/bugzilla/show_bug.cgi?id=41960
[8] http://issues.apache.org/bugzilla/show_bug.cgi?id=43679
[9] http://issues.apache.org/bugzilla/show_bug.cgi?id=43679
[12] http://issues.apache.org/bugzilla/show_bug.cgi?id=43550
[13] http://issues.apache.org/bugzilla/show_bug.cgi?id=43550
[18] http://issues.apache.org/bugzilla/show_bug.cgi?id=43562
[19] http://issues.apache.org/bugzilla/show_bug.cgi?id=43562

Gentle reminder of outstanding contributed patches

[Jose Kahan]

Hi folks,

Per the patch submission suggestion # 1:

[[
  Be persistent but polite. Post to the developers list pointing out
  your patch and why you feel it is important. Feel free to do this
  about once a week and continue until you get a response. Just be sure
  to be polite about it, since the developers are unlikely to respond to
  rude messages.
]]

Here's a gentle reminder and summary of myoutstanding (as in
non-committed) patches (bug fixes, test procedures) that I've
submitted over the last ocuple of weeks.

As always, feel free to ask any question or send feedback.

N.B. We have applied all of these patches to our production servers.

Best regards,

-jose

Test: location walking in subrequests PR 43679[6]

   *  Summary: Checks that directives stored in .htaccess files as well
  as , , and  sections is taken into
  account when handling subrequests. Complements PR 41960.
   *  Apache bugzilla entry: PR 43679[6]
   *  Patch against trunk submitted: 01-Oct-2007[7] (rev. version to
  apache-dev[8]). Resubmitted: 23-Oct-2007 (bugzilla)
   *  Status: waiting for action from Apache-dev guys

Patch: mod_negotiation is not passing query strings and path info when
using typemaps PR 43550[9]

   *  Summary: completes the work started on by PR 33112.
   *  Apache bugzilla entry: PR 43550[9]
   *  Bug report submitted: 4 Oc 2007
   *  Patch against trunk and 2.2.6 submitted: 11-Oct-2007[10] (rev.
  version)
   *  Status: waiting for action from apache-dev guys

Test: passing query strings when using typemaps PR 43550[11]

   *  Summary checks tha query strings are passed correctly when using
  typemaps
   *  Apache bugzilla entry: PR 43550[11]
   *  Patch against trunk submitted: 11-Oct-2007[12] (rev. version)
   *  Status: waiting for action from Apache-dev guys

Patch: Removing dependency between mod_speling and the AcceptPathInfo
directive PR 43562[13]

   *  Summary: PR 21059 added this dependency. It is not needed anymore
  and has degraded the use of mod_speling because it introduces a
  hard dependency with the AcceptPathInfo directive.
   *  Apache bugzilla entry: PR 43562[13]
   *  Bug report submitted: 5 Oct 2007
   *  Patch against trunk and 2.2.6 submitted: 5 Oct 2007[14]
   *  Status: waiting for action from apache-dev guys

Patch: Fixing invalid XHTML markup in mod_autoindex PR 43649[15] 

   *  Summary: XHTML version of autoindex is missing the HTML namespace
   *  Apache bugzilla entry: PR 43649[15]
   *  Bug report submitted: 18 Oct 2007
   *  Patch against trunk and 2.2.6 submitted: 18 Oct 2007[16]
   *  Status: waiting for action from apache-dev guys

--
List of References

[6] http://issues.apache.org/bugzilla/show_bug.cgi?id=43679
[7] http://issues.apache.org/bugzilla/show_bug.cgi?id=43679
[8]
http://mail-archives.apache.org/mod_mbox/httpd-dev/200710.mbox/[EMAIL PROTECTED]
[9] http://issues.apache.org/bugzilla/show_bug.cgi?id=43550
[10] http://issues.apache.org/bugzilla/show_bug.cgi?id=43550
[11] http://issues.apache.org/bugzilla/show_bug.cgi?id=43550
[12] http://issues.apache.org/bugzilla/show_bug.cgi?id=43550
[13] http://issues.apache.org/bugzilla/show_bug.cgi?id=43562
[14] http://issues.apache.org/bugzilla/show_bug.cgi?id=43562
[15] http://issues.apache.org/bugzilla/show_bug.cgi?id=43649
[16] http://issues.apache.org/bugzilla/show_bug.cgi?id=43649

Re: As we contemplate what to fix, and how to roll out 2.4 and 3.0

[Jose Kahan]

If it could help your PR effort, maybe you could have some kind of
online testimonial or survey page of companies or big sites that 
have moved to Apache 2.2, stating how much time it took them to 
migrate to it from the previous server version, how much effort it took
to migrate their propietary modules, and what gains in performance,
stable server behavior they have observed. 

I'd also include a last section stating if they aborted their move,
to state the reasons why.

The above survey would let users see, by consulting their peers
opinion, the benefits (and possible drawbacks) of moving to Apache 2.2.

If there's such a page, we (W3C), can fill in an entry
re: our migration to Apache 2.2.

Cheers,

-jose

Re: Jose's recent location test/failures

[Jose Kahan]

Hello,

Here's my second take at submitting these tests. Following Bill's
comments, I did some changes to remove the ambiguity.

These tests check that the directives inside , 
 sections as well as .htaccess are taken into
account when processing internal subrequests. The test
case consists in using AddCharset to add a bogus charset in the
configuration and using conneg to trigger a subrequest. e.g.,

   
  Options +MultiViews
  AddCharset bogus .bc
   

Although there are six tests, only test four fails when
PR 41960 is not applied. I added the extra five just to make 
sure the flaw won't appear in the other sections.

You will find here attached the subrequests.t test file as well
as a tgz archive with the tests. 

Before running the tests, you need to patch extra.conf.in using 
the included extra.conf.in.patch diff file. This is a diff 
from svn trunk.

Feel free to request further changes.

-jose


subrequests.t
Description: Troff document


subrequests-20061001.tgz
Description: GNU Unix tar archive

Re: svn commit: r579664 - in /httpd/httpd/trunk: CHANGES server/request.c

[Jose Kahan]

Hi nd,

On Wed, Sep 26, 2007 at 08:40:08PM +0200, Andr?? Malo wrote:
> >
> > URL: http://svn.apache.org/viewvc?rev=579664&view=rev
> > Log:
> > Reinstate location walk for subrequests
> > PR 41960 (Jose Kahan)
> 
> I don't see how the comment matches the patch. We always had location walks 
> for subrequests, but not for *file* subrequests. How does that make sense?
> 
> I'm sure this will break a lot of stuff and assumptions. mod_cern_meta comes 
> into mind plus everywhere, where you really want to sub request for a file 
> and not a location (and don't even have a good location to map to)

If it may assure you...

The comments of my patch just describe the behavior I saw. There may
be better appropriate language for it.

I have test cases that show how location walk wasn't working anymore and
how the patch fixes it. I've just sent one such message to the list.

I think that best thing would be for you to try the patch and test out
the scenarios you think it will break down and report back to the list 
if that is the case? Or point out places in the code that will be
at risk?

For the record, the W3C  production web servers are using this 
patch since some time ago and we haven't experienced any i
weird behavior. Of course, this doesn't exclude problems with
server configuration options that we don't use.

Cheers,

-jose

Re: Jose's recent location test/failures

[Jose Kahan]

Hello Bill,

Thanks for your reply.

On Wed, Sep 26, 2007 at 02:05:26PM -0500, William A. Rowe, Jr. wrote:
>
> I believe the mistaken assumption is that charset can be used in this way.
> AddCharset should be used in this case.
>
> If no AddCharset is applied, AddDefaultCharset takes over.
>
> http://httpd.apache.org/docs/2.2/mod/mod_mime.html#addcharset
> http://httpd.apache.org/docs/2.2/mod/core.html#adddefaultcharset
>
> Is that the origin of this observed 'flaw'?


Indeed, the text of my test may be ambiguous. The flaw
that I noticed is related to subrequests not taking into account
what is inside the different ,  and .htaccess
sections.

I made a quick modification to my tests using AddCharset:

[[

 Options +MultiViews
 AddCharset something .mt

]]

Elsewhere, in the configuration file I have

AddDefaultCharset iso-8859-1
AddType text/html html htm

I also have a file named test.html.mt in the conneg-test directory.

---

Doing the tests with Apache 2.2.6:

  HEAD http://localhost/conneg-test/test.html.mt

returns

  Content-Type: text/html; charset=something

whereas 

  HEAD http://localhost/conneg-test/test.html
  HEAD http://localhost/conneg-test/test

both return

  Content-Type: text/html; charset=iso-8859-1

Thus showing that the specific AddCharset is not being
taken into account in subrequests. I think this would
be the case for any other directive in those sections.
This is fixed by my patch (that was committed today, 
many thanks :).

If these tests are less ambiguous in this new form, I can
resubmit them.

-jose

[mod_spelling] misuse of AcceptPathInfo?

[Jose Kahan]

Hi,

Since Apache 2.2, one has to turn on AcceptPathInfo
in order to correct directory mispelings:


   CheckSpelling On
   AcceptPathInfo On


This is because mod_speling has the following code:

[[
/* we default to reject path info (same as core handler) */
if ((r->used_path_info != AP_REQ_ACCEPT_PATH_INFO) &&
r->path_info && *r->path_info) {
return DECLINED;
}
]]

Having to turn on the AcceptPathInfo to be able to use
mod_speling seems wrong. When Apache is parsing a URI and
doesn't find an equivalent filename, it is storing the
"extra" information into r->path_info. However, unless
AcceptPathInfo is turned on, mod_speling won't even try
to fix the spelling.

For example, the following URI is a valid one:

  http://www.w3.org/TR/2004/WD-ccxml-20040430/

If AcceptPathInfo has a value different than On, we will 
get a 404 status on the following (TR spelled as tr):

  http://www.w3.org/tr/2004/WD-ccxml-20040430/

thus defeating the benefits of using of mod_speling.

On the other hand, if you turn on AcceptPathInfo, you
get mod_speling to work. On the other hand, you
are accepting PathInfo even if you don't want, and even
if it's a bogus.  Any time a file foo.ext exists, requests for 
foo/* are served with 200 OK status. e.g.,

http://www.w3.org/MarkUp/Overview/asdf
http://www.w3.org/MarkUp/Overview.html/asdf

Moreover, this breaks the browser-side resolution of 
relative links.

Our stats show that Apache 1.x didn't accept bogus PathInfo. The
above URIs would return a 404 status, just as if we had 
never enabled AcceptPathInfo in 2.2.

Is there any special reason as to why mod_speling is running
conditional to the value of AcceptPathInfo? I don't see
any benefit to it as you have to enable AcceptPathInfo for your
server and you get side effects.

Does it make sense to remove that check from mod_speling?

Thanks,

-jose

[bug + naive patch] mod_negotiation + query parameters

[Jose Kahan]

Hi, 

This is a bug similar to PR 33112 which was fixed in 2.2.6.

Query strings are not being passed along when mod_negotiation
combines  multiviews with typemap processing.

The guilty party is the call to 

   ap_internal_fast_redirect(sub_req, r)

in mod_negotiation.c:handle_multi() which discards the 
previously parsed args and path_info. That info is 
not regenerated again. I'm including a very naive patch 
against 2.2.6 that fixes this.  I'm sure there is a 
better way to fix it, but need more of your guidance 
to achieve it in an optimal way.

Here's a test scenario to show this bug. Please adjust accordingly
to your server setup. I assume the use of php
for printing out the query parameters; you could use
perl or a shell script too):

1. In a directory, put the three files that I've attached:
   test.html, test.php, test.var

2. query the server for test.php?q=3  

   http://localhost/test.php?q=3

==> you'll see that the query parameters are correctly
passed to the script.

3. query the server for test?q=3

   http://localhost/test?q=3

==> in this case, the query parameters have been discarded
by mod_negotiation's call to 
ap_internal_fast_redirect inside handle_multi().

You'll see that my naive solution is to make a backup copy of
args and path_info, if they existed, before the call to 
ap_internal_fast_redirect(), and then restoring them. This
effectively solves the bug. I don't know if there's a better
way to do this.

Thanks,

-jose
Title: type map test



	


you shouldn't see this html file


URI: test

URI: test.php
Content-type: text/html;qs=1.0

URI: test.html
Content-type: text/html;qs=0.01


test.php
Description: application/httpd-php
--- mod_negotiation.c.orig	2007-09-25 15:47:37.0 +0200
+++ mod_negotiation.c	2007-09-25 15:47:45.0 +0200
@@ -3132,7 +3132,28 @@
 }
 
 /* now do a "fast redirect" ... promotes the sub_req into the main req */
-ap_internal_fast_redirect(sub_req, r);
+{
+  /* save the previous parsed args and path_info */
+  char *args;
+  char *path_info;
+  
+  if (r->args) {
+	args = apr_pstrdup(r->pool, r->args);
+  } else {
+	args = NULL;
+  }
+
+  if (r->path_info) {
+	r->path_info = apr_pstrdup(r->pool, r->path_info);
+  } else {
+	path_info = NULL;
+  }
+  ap_internal_fast_redirect(sub_req, r);
+
+  /* restore the parsed args and path info */
+  r->args = args;
+  r->path_info = path_info;
+}
 
 /* give no advise for time on this subrequest.  Perhaps we
  * should tally the last mtime amoung all variants, and date

Re: Patch (against trunk) for bug #41960

[Jose Kahan]

Hello,

Congratulations on the new release 2.2.6. 

Would there be any possiblity of applying (or reviewing) my
outstanding patch? request.c hasn't evolved since I did the
patch against trunk.

I had also submitted a new test procedure for the test suite.
It hasn't yet been commited, although it reproduces the faulty
behavior that my patch is intended to fix.

I don't know what else to do to  be able to submit a valid bug
report and potential patch to you: patch against trunk, new test
for the perl framework, ... chocolate-chip cookies? 

I may be missing something in the Apache procedure for submitting
this. I would have expected someone to point it out to me since I 
first submitted the bug report late March. 

Thanks,

-jose

Patch (against trunk) for bug #41960

[Jose Kahan]

Hi folks,

Just a short messsage to tell you that I just uploaded
the patch against svn trunk that fixes this bug. Yes,
the patch is still needed as the bug is unfortunately
still around :-/.

Is there any hope of seeing this patch committed? Our 
internal production server has been working with it
since some months with no side effects. Earlier today
I contributed to this list some tests against your svn 
perl-framework that allows to reproduce the bug. This 
can be useful if you want to resolve this bug differently.

Feel free to contact me if you need further tests
or changes to the patch.

Best regards and thanks for all your hard work,

-jose

[1] http://issues.apache.org/bugzilla/show_bug.cgi?id=41960

New test: subrequests and content negotiation

[Jose Kahan]

Hi!

Here's my first submission. This test is written against your
perl-framework test environment.

It tests that subrequests are correctly parsing and taking into
account directives that are declared in ,  sections
and .htaccess files. I'm using the same test scenario I gave in bug
#41960.

Basically, this requires having the following global content-type:
AddType text/html; charset=iso-8859-1   html/htm

The test consists on overloading the charset to utf-8:
AddType text/html; charset=utf-8html/htm

in the test locations under t/apache/subrequests/, one each
for , , and .htaccess. There is a file each
time that is being requested with its complete name 
http:///apache/subrequests/.../hello.html

and through content-negotiation:
http:///apache/subrequests/.../hello

It is the content-negotiation that is being processed thru subrequests.

The patch I sent to bug #41960 fixes the subrequest bugs. Without
that patch, one of these tests will return an error (under Apache/2.2.4).

I'm attaching a tgz file which includes a patch to extra.conf.in,
and new files to be stored under t/htdocs/apache/subrequests and
t/subrequests.t The tar archive contains the full hierarchy.

I put this test under t/apache rather than under t/modules because it
is testing subrequests, even if we do so thru content-negotiation. The
tests could be expanded to any other directive that is declared for
a specific location.

Comments are welcome.

Cheers,

-jose

=== inline version of the test and extra.config.in section follows ==

=== subrequests.t 

use strict;
use warnings FATAL => 'all';

use Apache::Test;
use Apache::TestRequest;
use Apache::TestUtil;

plan tests => 6, have_module qw(mod_negotiation mod_mime);

## Returns ok if the returned content-type is the same as the 
## expected one.
#
sub check_content_type  
{
my $path = shift;
my $expected = shift;
my $error_msg = shift;

my $h = HEAD_STR $path;

## parse response headers looking for our headers
my $actual_value;
foreach my $head (split /\n/, $h) {
if ($head =~ /^Content-Type: (.*)$/) {
$actual_value = $1;
last;
}
}

ok t_cmp($actual_value, $expected, $error_msg);

}

## The server is configured to return text/html; charset=iso8859-1 by default
## The different section overrides change this to charset=utf-8. 
## We do the test with and without content-negotiation

my $expected_type = "text/html; charset=utf-8";

check_content_type ("/apache/subrequests/dir_override/hello.html", 
$expected_type,
"subrequests with  overrides");
check_content_type ("/apache/subrequests/dir_override/hello", 
$expected_type,
"subrequests with  overrides and conn-neg");

check_content_type ("/apache/subrequests/location_override/hello.html",
$expected_type,
"subrequests with  overrides");
check_content_type ("/apache/subrequests/location_override/hello",
$expected_type,
"subrequests with  overrides and conn-neg");

check_content_type ("/apache/subrequests/htaccess_override/hello.html",
$expected_type,
"subrequests with .htaccess overrides");
check_content_type ("/apache/subrequests/htaccess_override/hello",
$expected_type,
"subrequests with .htaccess overrides and conn-neg");

== extra.conf.in section ==

##
## subrequests test config
##



   AddType text/html;charset=iso-8859-1 html htm




   
  Options +MultiViews
  AddType text/html;charset=utf-8   html htm
   

   
  Options +MultiViews
  AddType text/html;charset=utf-8   html htm
   
   
  Options +MultiViews
  AllowOverride FileInfo
   






subrequesttest.tgz
Description: GNU Unix tar archive

How to contribute new tests to the Apache TestSuite?

[Jose Kahan]

Hi!

I've added some tests to your Perl Framework test suite (latest
co from svn). These tests cover subrequests and content-negotiation,
following the bug report (and patch) I sent as bug #41960.

For these tests, I added a new test script (.t), a new section
to extra.conf.in, and a new subdirectory (with content) to htdocs.

Could you tell me what is the best way to submit this patch to
save you time in its evaluation / integration? And also, what's
the easiest way to generate it for you? (svn diff?).

Many thanks,

-jose