Re: OpenSSL 1.02, PCRE 2.10
./configure --enable-mpms-shared=all --with-included-apr --with-ssl=dir and on OS X additionally a locally installed pcre --with-pcre=dir apr 1.5.1, apr-util 1.5.4, local pcre 8.36 on OS X (+ some homebrew things I already had) Hope that helps, Stefan Am 28.04.2015 um 14:08 schrieb Tom Browder tom.brow...@gmail.com: On Tue, Apr 28, 2015 at 7:05 AM, Stefan Eissing stefan.eiss...@greenbytes.de wrote: Have openssl 1.0.2 running with 2.4.12 in a local installation on Ubuntu 14.04. No special wrestling other than —with-openssl=… in configure. How about apr and apr-util: locally built and installed system-wide or '--with-included-apr'? Best, -Tom green/bytes GmbH Hafenweg 16, 48155 Münster, Germany Phone: +49 251 2807760. Amtsgericht Münster: HRB5782
OpenSSL 1.02, PCRE 2.10
I can't get httpd to work with either of the two subject packages, and I found other, similar results from a web search. Is there a work-around for either or both, or do I have to drop back and punt with older packages? Best, -Tom P.S. I have offered to start a tutorial on the wiki ref 2.4 configuration and installation but no reply yet.
Re: OpenSSL 1.02, PCRE 2.10
On Tue, Apr 28, 2015 at 6:45 AM, Eric Covener cove...@gmail.com wrote:
On Tue, Apr 28, 2015 at 7:36 AM, Tom Browder tom.brow...@gmail.com wrote:
I can't get httpd to work with either of the two subject packages, and
I found other, similar results from a web search. Is there a
work-around for either or both, or do I have to drop back and punt
with older packages?
AIUI PCRE2 doesn't work and it's not just a trivial port.
I understand.
about openssl 1.02 though -- what exactly do you see?
I see this when attempting to start apache:
/usr/local/apache2/bin/httpd: symbol lookup error:
/usr/local/apache2/bin/httpd: undefined symbol: SSL_CONF_CTX_new
Maybe I need to play tricks with ld.so.conf and openssl? I have no
system installed openssl, just my locally built version (1.0.2). In
my configuration options I have:
SSLDIR=/opt/openssl
export LDFLAGS=-L${SSLDIR}/lib
$SRCDIR/configure \
--prefix=/usr/local/apache2\
--with-included-apr\
\
--enable-ssl \
--enable-ssl-staticlib-deps\
--enable-mods-static=ssl \
--with-ssl=${SSLDIR} \
\
--enable-mods-shared=reallyall \
--with-perl\
--with-python \
--enable-layout=Apache \
--with-pcre=/usr/local/bin/pcre-config \
--without-ldap \
--enable-session-crypto\
--with-crypto \
--with-openssl=/opt/openssl
Thanks, Eric.
Best,
-Tom
Re: *Match, RewriteRule POLA violation?
It seems that while Location is compared to ap_no2slash(r-uri),
LocationMatch is matched against r-uri directly.
That's probably the issue.
A possible fix (untested) could be:
Index: server/request.c
===
--- server/request.c(revision 1674695)
+++ server/request.c(working copy)
@@ -1446,7 +1446,7 @@
pmatch = apr_palloc(rxpool, nmatch*sizeof(ap_regmatch_t));
}
-if (ap_regexec(entry_core-r, r-uri, nmatch, pmatch, 0)) {
+if (ap_regexec(entry_core-r, entry_uri, nmatch, pmatch, 0)) {
continue;
}
@@ -1456,7 +1456,7 @@
apr_table_setn(r-subprocess_env,
((const char
**)entry_core-refs-elts)[i],
apr_pstrndup(r-pool,
- r-uri + pmatch[i].rm_so,
+ entry_uri + pmatch[i].rm_so,
pmatch[i].rm_eo - pmatch[i].rm_so));
}
}
--
On Mon, Apr 27, 2015 at 10:52 PM, Jim Riggs apache-li...@riggs.me wrote:
This came up at ApacheCon a couple of weeks ago. I just took this knowledge
for granted, as I have always accounted for it, but both Rich and Trawick
were surprised. As I thought about it some more, it seems this may be a POLA
violation. Thoughts? If we agree it should be fixed, I can make the bugz and
make a patch.
Consider:
Location /slash/foo
...
/Location
vs.
LocationMatch ^/slash/foo
...
/LocationMatch
These do not behave the same if multiple slashes are used. The leading
slashes are always coalesced, so ^/... is fine; however, any intermediate
slashes are not. So, in order for the LocationMatch directive above to behave
the same as the Location, it has to be specified as ^/slash/+foo. Like I
said, I have always accounted for this in my regexps, but it doesn't seem
right. Should the URL be normalized before being passed to regex-matching
directives, or is there a specific reason that is not done?
+---+--+--+--+
| Path | Non-Regex |*Match, |*Match, |
| | Directive: | RewriteRule: | RewriteRule: |
| | /slash/foo | ^/slash/foo | ^/slash/+foo |
+---+--+--+--+
| /slash/foo| Match| Match| Match|
+---+--+--+--+
| slash/foo | Match| Match| Match|
+---+--+--+--+
| /slash///foo | Match| XXX | Match|
+---+--+--+--+
| slash///foo// | Match| XXX | Match|
+---+--+--+--+
Re: OpenSSL 1.02, PCRE 2.10
Have openssl 1.0.2 running with 2.4.12 in a local installation on Ubuntu 14.04. No special wrestling other than —with-openssl=… in configure. //Stefan Am 28.04.2015 um 13:45 schrieb Eric Covener cove...@gmail.com: On Tue, Apr 28, 2015 at 7:36 AM, Tom Browder tom.brow...@gmail.com wrote: I can't get httpd to work with either of the two subject packages, and I found other, similar results from a web search. Is there a work-around for either or both, or do I have to drop back and punt with older packages? AIUI PCRE2 doesn't work and it's not just a trivial port. Surprised about openssl 1.02 though -- what exactly do you see? green/bytes GmbH Hafenweg 16, 48155 Münster, Germany Phone: +49 251 2807760. Amtsgericht Münster: HRB5782
Re: OpenSSL 1.02, PCRE 2.10
On Tue, Apr 28, 2015 at 7:36 AM, Tom Browder tom.brow...@gmail.com wrote: I can't get httpd to work with either of the two subject packages, and I found other, similar results from a web search. Is there a work-around for either or both, or do I have to drop back and punt with older packages? AIUI PCRE2 doesn't work and it's not just a trivial port. Surprised about openssl 1.02 though -- what exactly do you see?
Re: OpenSSL 1.02, PCRE 2.10
On Tue, Apr 28, 2015 at 7:05 AM, Stefan Eissing stefan.eiss...@greenbytes.de wrote: Have openssl 1.0.2 running with 2.4.12 in a local installation on Ubuntu 14.04. No special wrestling other than —with-openssl=… in configure. How about apr and apr-util: locally built and installed system-wide or '--with-included-apr'? Best, -Tom
Listen on UDS
Anyone looked into having httpd be able to Listen on a UDS, as well as scenarios where we may want that even?
patch to mod_authz_dbd to handle query parameters
Hi,
I realized that my last message was missing a part of the
info I had prepared. I'm resending it with a new subject
to make it clearer what it is.
I slightly revised the patch in that it had a unused variable.
I don't know why -Wc-Wunused didn't work with apxs2.
To compile and install the patch:
apxs2 -i -a -c mod_authz_dbd.c
Looking forward to your feedback or RFE. More details here below.
I'm also opening a bug report for the dbd issue I found (and fixed
in this patch).
Cheers,
-jose
DETAILED REPORT
Work done:
- As discussed earlier in this thread, new require dbd-query directive
for supporting query parameters. If the query returns at least one
row, we consider that access is granted.
- It's now possible to use query parameters for dbd-login and
dbd-logout. If no parameter is given, the default value is
%{REMOTE-USER} to keep backwards compatibility.
- While testing the changes for dbd-login, a server misconfiguration
revealed a SIGSEV. If the dbd handle preparation fails due to a
misconfiguration of the database server or the access rights to the
table, the server logs something along these lines:
AH00632: failed to prepare SQL statements: UPDATE command denied to
user 'foo'@'exampleorg' for table 'bar'
As a consequence, the call to dbd_handle(r) returns NULL. However,
in mod_authz_dbd, there was no control for the value of dbd before
its being used in both authz_dbd_login() and authzdbd_group():
ap_dbd_t *dbd = dbd_handle(r);
...
query = apr_hash_get(dbd-prepared, --- SIGSEV
I added a check to protect against this case.
Open issues:
- I wanted to control that the number of bind arguments correspond to
those in the prepared request. However this value is not visible in
apr_dbd_prepared_t *query. Looking at the code in apr_dbd.c, I see
that even though the number of bind arguments are being passed to
apr_dbd_pselect() and apr_dbd_pquery() in nargs, this argument is
discarded before calling the implementation of those functions in
the driver.
At least in the mysql driver, there is no further check that there
is an equivalence between the bind and prepared statement
arguments. In both cases there is just a call to
mysql_stmt_bind_param(statement-stmt, bind);
which expects bind to have the correct number of arguments. I
checked the sqlite3 driver and it has the same issue.
If bind has more arguments, there is no issue. If there is less, we
risk a SIGSEV or unexpected behavior.
To avoid this issue, I wanted to control the number of arguments
when parsing the configuration file and show a configuration error
when necessary. However, as the prepared query goes into opaque
driver implementations, I don't have access to its nargs value. Are
there any ideas on how to get this info? The only hack I could
think of is counting the number of % inside the prepared query and
making sure that we have the corresponding number of bind arguments.
- Would it be worth it to connect this module to mod_socache.c?
Other questions:
- In function dbd_parse_config, I was unable to decide whether it
would be ok to use cmd-temp_pool instead of cmd-pool in my call to
ap_getword_white()
- I am using ap_expr_parse_cmd() on each argument of the require
dbd-query, dbd-login, and dbd-logout directives. I think this is
akin to building an expression tree for each argument. Is there a
more efficient way to do so?
Index: /tmp/httpd-trunk/modules/aaa/mod_authz_dbd.c
===
--- /tmp/httpd-trunk/modules/aaa/mod_authz_dbd.c (revision 1676575)
+++ /tmp/httpd-trunk/modules/aaa/mod_authz_dbd.c (working copy)
@@ -109,7 +109,45 @@
{NULL}
};
+static int evaluate_query_parameters(request_rec *r,
+ const apr_array_header_t *parsed_require_args,
+ const void **query_parameters)
+{
+int i;
+apr_array_header_t *qp;
+
+const ap_expr_info_t *expr = NULL;
+const char *parameter;
+
+const char *err = NULL;
+
+/* evaluate the query parameters in parsed_require_args */
+qp = apr_array_make(r-pool,
+ parsed_require_args-nelts,
+ sizeof (char *));
+
+for (i = 0; i parsed_require_args-nelts; i++) {
+
+expr = ((const ap_expr_info_t **)parsed_require_args-elts)[i];
+parameter = ap_expr_str_exec(r, expr, err);
+
+if (err) {
+ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO()
+ authz_dbd in evaluate query_parameters: Can't
+ evaluate require expression: %s, err);
+return HTTP_INTERNAL_SERVER_ERROR;
+}
+
+*(const char **)apr_array_push(qp) = parameter;
+}
+
+*query_parameters = (void *)qp;
+
+return OK;
+}
+
static int authz_dbd_login(request_rec *r, authz_dbd_cfg *cfg,
+ const
Re: [VOTE] Release APR 1.5.2
On 04/28/2015 12:18 PM, Eric Covener wrote: On Sat, Apr 25, 2015 at 8:13 AM, Jeff Trawick traw...@gmail.com wrote: +/-1 [ ] Release APR 1.5.2 as GA +1 for release. Tested on AIX/PPC32, HPUX/IA64 and Solaris/x64. HPUX and AIX had non-regression long standing failure in testxlate. Can you respond on the dev@apr thread? This was just bait for people with their phone activated in their pocket :)
Re: [VOTE] Release APR 1.5.2
On Sat, Apr 25, 2015 at 8:13 AM, Jeff Trawick traw...@gmail.com wrote: +/-1 [ ] Release APR 1.5.2 as GA +1 for release. Tested on AIX/PPC32, HPUX/IA64 and Solaris/x64. HPUX and AIX had non-regression long standing failure in testxlate.
Re: svn commit: r1676593 - /httpd/httpd/trunk/modules/ldap/util_ldap.c
2.4.x STATUS:
* Current exceptions for RTC for this branch:
. mod_lua
. documentation
. non-Unix build
. non-Unix, single-platform code
How about improving/extending error messages like the above?
On Tue, Apr 28, 2015 at 2:56 PM, cove...@apache.org wrote:
Author: covener
Date: Tue Apr 28 18:56:47 2015
New Revision: 1676593
URL: http://svn.apache.org/r1676593
Log:
Give a better hint.
Modified:
httpd/httpd/trunk/modules/ldap/util_ldap.c
Modified: httpd/httpd/trunk/modules/ldap/util_ldap.c
URL:
http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ldap/util_ldap.c?rev=1676593r1=1676592r2=1676593view=diff
==
--- httpd/httpd/trunk/modules/ldap/util_ldap.c (original)
+++ httpd/httpd/trunk/modules/ldap/util_ldap.c Tue Apr 28 18:56:47 2015
@@ -331,7 +331,7 @@ static int uldap_connection_init(request
rc = apr_ldap_rebind_add(ldc-rebind_pool, ldc-ldap, ldc-binddn,
ldc-bindpw);
if (rc != APR_SUCCESS) {
ap_log_error(APLOG_MARK, APLOG_ERR, rc, r-server, APLOGNO(01277)
-LDAP: Unable to add rebind cross reference entry. Out
of memory?);
+LDAP: Unable to add rebind cross reference entry. Out
of memory? Try 'LDAPReferrals OFF');
uldap_connection_unbind(ldc);
ldc-reason = LDAP: Unable to add rebind cross reference
entry.;
return(rc);
--
Eric Covener
cove...@gmail.com
Re: Listen on UDS
On 28 Apr 2015, at 10:20, Graham Leggett minf...@sharp.fm wrote: On 28 Apr 2015, at 5:17 PM, Jim Jagielski j...@jagunet.com wrote: Anyone looked into having httpd be able to Listen on a UDS, as well as scenarios where we may want that even? I have always wanted it - one thing it allows us to do is reverse proxy to versions of httpd (or other daemon software) running as another user, with a proper hope of securing it. +1. Reverse proxy is the prime example I can think of for it.
Re: Listen on UDS
That's what I thought too, but I didn't want to assume :) Let me look at what would be involved. On Apr 28, 2015, at 3:19 PM, Jim Riggs apache-li...@riggs.me wrote: On 28 Apr 2015, at 10:20, Graham Leggett minf...@sharp.fm wrote: On 28 Apr 2015, at 5:17 PM, Jim Jagielski j...@jagunet.com wrote: Anyone looked into having httpd be able to Listen on a UDS, as well as scenarios where we may want that even? I have always wanted it - one thing it allows us to do is reverse proxy to versions of httpd (or other daemon software) running as another user, with a proper hope of securing it. +1. Reverse proxy is the prime example I can think of for it.
Re: *Match, RewriteRule POLA violation?
* Jim Riggs wrote: This came up at ApacheCon a couple of weeks ago. I just took this knowledge for granted, as I have always accounted for it, but both Rich and Trawick were surprised. As I thought about it some more, it seems this may be a POLA violation. Thoughts? If we agree it should be fixed, I can make the bugz and make a patch. I use /+ patterns all over the place (I even trained people to use them) and I was sure, it was documented, but I can't seem to find it, where I'd expect it. So, IMHO it just should be better documented. At least for something like mod_rewrite it should be possible to inspect the original uri (and possibly take some action). nd P.S.: had to look up POLA ;-) -- Gefunden auf einer Webdesigner-Seite: Programmierung in HTML, XML, WML, CGI, FLASH # André Malo # http://pub.perlig.de/ #
Re: Listen on UDS
On 28 Apr 2015, at 5:17 PM, Jim Jagielski j...@jagunet.com wrote: Anyone looked into having httpd be able to Listen on a UDS, as well as scenarios where we may want that even? I have always wanted it - one thing it allows us to do is reverse proxy to versions of httpd (or other daemon software) running as another user, with a proper hope of securing it. Regards, Graham —
