Fixed: apache/httpd#2036 (trunk - 2baea6b)
Build Update for apache/httpd - Build: #2036 Status: Fixed Duration: 3 mins and 34 secs Commit: 2baea6b (trunk) Author: Ruediger Pluem Message: * Good catch by Yann: This is dead code git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1894034 13f79535-47bb-0310-9956-ffa450edef68 View the changeset: https://github.com/apache/httpd/compare/d8b3d1f0f6ed...2baea6bf86a3 View the full build log and details: https://app.travis-ci.com/github/apache/httpd/builds/239448423?utm_medium=notification_source=email -- You can unsubscribe from build emails from the apache/httpd repository going to https://app.travis-ci.com/account/preferences/unsubscribe?repository=16806660_medium=notification_source=email. Or unsubscribe from *all* email updating your settings at https://app.travis-ci.com/account/preferences/unsubscribe?utm_medium=notification_source=email. Or configure specific recipients for build notifications in your .travis.yml file. See https://docs.travis-ci.com/user/notifications.
Re: svn commit: r1894024 - in /httpd/httpd/trunk: docs/log-message-tags/next-number modules/mappers/mod_alias.c
On 10/8/21 5:21 PM, Yann Ylavic wrote:
> On Fri, Oct 8, 2021 at 12:49 PM wrote:
>>
>> Author: rpluem
>> Date: Fri Oct 8 10:49:06 2021
>> New Revision: 1894024
>>
>> URL: http://svn.apache.org/viewvc?rev=1894024=rev
>> Log:
>> * Make aliases more robust against potential traversal attacks, by using
>> apr_filepath_merge to merge the real path and the remainder of the fake
>> path like we do in the same situation for resources mapped by
>> DocumentRoot.
>>
> []
>>
>> --- httpd/httpd/trunk/modules/mappers/mod_alias.c (original)
>> +++ httpd/httpd/trunk/modules/mappers/mod_alias.c Fri Oct 8 10:49:06 2021
> []
>> @@ -553,8 +556,41 @@ static char *try_alias_list(request_rec
>>
>> found = apr_pstrcat(r->pool, alias->real, escurl, NULL);
>> }
>> -else
>> +else if (is_redir) {
>
> This is dead code because the first "if" tests for that already,
> should this block be removed then?
Good catch. r1894034.
>
>> found = apr_pstrcat(r->pool, alias->real, r->uri + l,
>> NULL);
>> +}
>> +else {
>> +apr_status_t rv;
>> +char *fake = r->uri + l;
>> +
>> +/*
>> + * For the apr_filepath_merge below we need a relative
>> path
>> + * Hence skip all leading '/'
>> + */
>> +while (*fake == '/') {
>> +fake++;
>> +}
>> +
>> +/* Merge if there is something left to merge */
>> +if (*fake) {
>> +if ((rv = apr_filepath_merge(, alias->real,
>> fake,
>> + APR_FILEPATH_TRUENAME
>> + |
>> APR_FILEPATH_SECUREROOT, r->pool))
>> +!= APR_SUCCESS) {
>> +ap_log_rerror(APLOG_MARK, APLOG_ERR, rv, r,
>> APLOGNO(10297)
>> + "Cannot map %s to file",
>> r->the_request);
>> +return MERGE_ERROR;
>> +}
>> +canon = 0;
>> +}
>> +else {
>> +/*
>> + * r->uri + l might be either pointing to \0 or to a
>> + * string full of '/'s. Hence we need to cat.
>> + */
>> +found = apr_pstrcat(r->pool, alias->real, r->uri +
>> l, NULL);
>> +}
>> +}
>> }
>> }
>>
>> @@ -568,7 +604,7 @@ static char *try_alias_list(request_rec
>> * canonicalized. After I finish eliminating os canonical.
>> * Better fail test for ap_server_root_relative needed here.
>> */
>> -if (!is_redir) {
>> +if (!is_redir && canon) {
>> found = ap_server_root_relative(r->pool, found);
>
> I wonder if we shouldn't add APR_FILEPATH_NOTABOVEROOT in
> ap_server_root_relative() too.
Not sure. I guess ap_server_root_relative() origins from a different use case
processing more trusted data like in configuration
files where /../ going above the root might be fine. Furthermore it does not
help if the path given to ap_server_root_relative is
absolute and the path itself does not go beyond root. e.g
/www/docs/../../etc/passwd would not create any failure.
Regards
Rüdiger
Re: ap_server_root_relative
On Fri, Oct 8, 2021 at 3:23 PM ste...@eissing.org wrote:
>
> Yann, thanks for you PRs. Just one thing:
>
> ap_server_root_relative("/") -> "/"
>
> in my reading of the code. Why am I wrong?
Nothing wrong, it was my bad, but ap_server_root_relative() normalizes too so:
ap_server_root_relative("/here/../there") -> "/there"
And Before Rüdiger's r1894024, mod_alias could have:
ap_server_root_relative("/here/../../there") -> "/there"
Cheers;
Yann.
Re: svn commit: r1894024 - in /httpd/httpd/trunk: docs/log-message-tags/next-number modules/mappers/mod_alias.c
On Fri, Oct 8, 2021 at 12:49 PM wrote:
>
> Author: rpluem
> Date: Fri Oct 8 10:49:06 2021
> New Revision: 1894024
>
> URL: http://svn.apache.org/viewvc?rev=1894024=rev
> Log:
> * Make aliases more robust against potential traversal attacks, by using
> apr_filepath_merge to merge the real path and the remainder of the fake
> path like we do in the same situation for resources mapped by
> DocumentRoot.
>
[]
>
> --- httpd/httpd/trunk/modules/mappers/mod_alias.c (original)
> +++ httpd/httpd/trunk/modules/mappers/mod_alias.c Fri Oct 8 10:49:06 2021
[]
> @@ -553,8 +556,41 @@ static char *try_alias_list(request_rec
>
> found = apr_pstrcat(r->pool, alias->real, escurl, NULL);
> }
> -else
> +else if (is_redir) {
This is dead code because the first "if" tests for that already,
should this block be removed then?
> found = apr_pstrcat(r->pool, alias->real, r->uri + l,
> NULL);
> +}
> +else {
> +apr_status_t rv;
> +char *fake = r->uri + l;
> +
> +/*
> + * For the apr_filepath_merge below we need a relative
> path
> + * Hence skip all leading '/'
> + */
> +while (*fake == '/') {
> +fake++;
> +}
> +
> +/* Merge if there is something left to merge */
> +if (*fake) {
> +if ((rv = apr_filepath_merge(, alias->real,
> fake,
> + APR_FILEPATH_TRUENAME
> + |
> APR_FILEPATH_SECUREROOT, r->pool))
> +!= APR_SUCCESS) {
> +ap_log_rerror(APLOG_MARK, APLOG_ERR, rv, r,
> APLOGNO(10297)
> + "Cannot map %s to file",
> r->the_request);
> +return MERGE_ERROR;
> +}
> +canon = 0;
> +}
> +else {
> +/*
> + * r->uri + l might be either pointing to \0 or to a
> + * string full of '/'s. Hence we need to cat.
> + */
> +found = apr_pstrcat(r->pool, alias->real, r->uri +
> l, NULL);
> +}
> +}
> }
> }
>
> @@ -568,7 +604,7 @@ static char *try_alias_list(request_rec
> * canonicalized. After I finish eliminating os canonical.
> * Better fail test for ap_server_root_relative needed here.
> */
> -if (!is_redir) {
> +if (!is_redir && canon) {
> found = ap_server_root_relative(r->pool, found);
I wonder if we shouldn't add APR_FILEPATH_NOTABOVEROOT in
ap_server_root_relative() too.
Not that it helps here after your changes, but since we are on robustness..
> }
Regards;
Yann.
ap_server_root_relative
Yann, thanks for you PRs. Just one thing:
ap_server_root_relative("/") -> "/"
in my reading of the code. Why am I wrong?
Broken: apache/httpd#2033 (trunk - d8b3d1f)
Build Update for apache/httpd - Build: #2033 Status: Broken Duration: 17 mins and 29 secs Commit: d8b3d1f (trunk) Author: Ruediger Pluem Message: * Make aliases more robust against potential traversal attacks, by using apr_filepath_merge to merge the real path and the remainder of the fake path like we do in the same situation for resources mapped by DocumentRoot. git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1894024 13f79535-47bb-0310-9956-ffa450edef68 View the changeset: https://github.com/apache/httpd/compare/861c15e03c41...d8b3d1f0f6ed View the full build log and details: https://app.travis-ci.com/github/apache/httpd/builds/239420393?utm_medium=notification_source=email -- You can unsubscribe from build emails from the apache/httpd repository going to https://app.travis-ci.com/account/preferences/unsubscribe?repository=16806660_medium=notification_source=email. Or unsubscribe from *all* email updating your settings at https://app.travis-ci.com/account/preferences/unsubscribe?utm_medium=notification_source=email. Or configure specific recipients for build notifications in your .travis.yml file. See https://docs.travis-ci.com/user/notifications.
Re: svn commit: r1894021 - /httpd/httpd/trunk/server/util.c
HE CHANGED THE SACRED CODE!
浪
> Am 08.10.2021 um 11:02 schrieb rpl...@apache.org:
>
> Author: rpluem
> Date: Fri Oct 8 09:02:30 2021
> New Revision: 1894021
>
> URL: http://svn.apache.org/viewvc?rev=1894021=rev
> Log:
> * Optimize performance by moving calculation of loop invariant out of the loop
>
> Modified:
>httpd/httpd/trunk/server/util.c
>
> Modified: httpd/httpd/trunk/server/util.c
> URL:
> http://svn.apache.org/viewvc/httpd/httpd/trunk/server/util.c?rev=1894021=1894020=1894021=diff
> ==
> --- httpd/httpd/trunk/server/util.c (original)
> +++ httpd/httpd/trunk/server/util.c Fri Oct 8 09:02:30 2021
> @@ -505,6 +505,7 @@ AP_DECLARE(int) ap_normalize_path(char *
> int ret = 1;
> apr_size_t l = 1, w = 1, n;
> int decode_unreserved = (flags & AP_NORMALIZE_DECODE_UNRESERVED) != 0;
> +int merge_slashes = (flags & AP_NORMALIZE_MERGE_SLASHES) != 0;
>
> if (!IS_SLASH(path[0])) {
> /* Besides "OPTIONS *", a request-target should start with '/'
> @@ -549,7 +550,7 @@ AP_DECLARE(int) ap_normalize_path(char *
>
> if (w == 0 || IS_SLASH(path[w - 1])) {
> /* Collapse / sequences to / */
> -if ((flags & AP_NORMALIZE_MERGE_SLASHES) && IS_SLASH(path[l])) {
> +if (merge_slashes && IS_SLASH(path[l])) {
> do {
> l++;
> } while (IS_SLASH(path[l]));
>
>
Re: Ineract with travis? (was: Errored: apache/httpd#1888 (trunk - 47e6ece))
On Fri, Sep 24, 2021 at 02:28:15PM +0200, Yann Ylavic wrote: > On Fri, Sep 24, 2021 at 2:06 PM Yann Ylavic wrote: > > > > On Mon, Sep 6, 2021 at 5:30 PM Joe Orton wrote: > > > > > > If you're logged into Github you can restart > > > individual jobs which are Errored, which I've done just now. > > > > I'm logged into Github+Travis with my ASF account (travis seems to > > recognize me as a member of the ASF org) but somehow I can't interact > > with jobs (restart/cancel). > > > > Anything special to do in my settings (that I missed) or is it > > something to ask of infra or Joe (which seems to have some karma > > already)? > > I have apache/httpd-site, apache/www-site and some > apache/infrastructure-* auto-registered in "My Repositories" (for > which I can trigger builds, can't find cancel though), but > apache/httpd is not in the list so I think that's why.. Did you work out how to do this? I never asked for special rights here AFAIK, I assumed everybody in the "httpd-committers" group could do it, but your github user is listed there too: https://github.com/orgs/apache/teams/httpd-committers/members Regards, Joe
annou...@httpd.apache.org missing
The 2.4.51 announcement on annou...@httpd.apache.org did not make it, as seen in the mailing list archives. I have no idea why not. Any moderator of that list here? - Stefan
