[PATCH PR55304] mod_dav: COPY should not validate the parent of request.
This patch fixes a regression created by the PR54610. COPY does not modify the parent of the source, so it should not be validating the parent. This issue actually disallows the ability to COPY the root of a DAV repository since a properly implemented DAV provider will return NULL and dav_method_copymove() will error on that. We ran into this with Subversion, which actually revealed a security issue with our implementation of get_parent_resource() since it failed on the root. But beyond that we realized we were not properly returning NULL for some resources when the resource is the root and thus has no parent. If we fix this without this patch being made to mod_dav then HTTP 2.2.25 and 2.4.6 will lose the ability to COPY the root. If someone can apply it that would be appreciated. It's certainly been looked at by several eyes over on the Subversion side.
Re: [PATCH PR55304] mod_dav: COPY should not validate the parent of request.
Fixed in r1506714, and proposed for backport to 2.2.x and 2.4.x. On Wed, Jul 24, 2013 at 3:38 PM, Ben Reser b...@reser.org wrote: This patch fixes a regression created by the PR54610. COPY does not modify the parent of the source, so it should not be validating the parent. This issue actually disallows the ability to COPY the root of a DAV repository since a properly implemented DAV provider will return NULL and dav_method_copymove() will error on that. We ran into this with Subversion, which actually revealed a security issue with our implementation of get_parent_resource() since it failed on the root. But beyond that we realized we were not properly returning NULL for some resources when the resource is the root and thus has no parent. If we fix this without this patch being made to mod_dav then HTTP 2.2.25 and 2.4.6 will lose the ability to COPY the root. If someone can apply it that would be appreciated. It's certainly been looked at by several eyes over on the Subversion side.