Fixed: apache/httpd#2036 (trunk - 2baea6b)
Build Update for apache/httpd - Build: #2036 Status: Fixed Duration: 3 mins and 34 secs Commit: 2baea6b (trunk) Author: Ruediger Pluem Message: * Good catch by Yann: This is dead code git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1894034 13f79535-47bb-0310-9956-ffa450edef68 View the changeset: https://github.com/apache/httpd/compare/d8b3d1f0f6ed...2baea6bf86a3 View the full build log and details: https://app.travis-ci.com/github/apache/httpd/builds/239448423?utm_medium=notification_source=email -- You can unsubscribe from build emails from the apache/httpd repository going to https://app.travis-ci.com/account/preferences/unsubscribe?repository=16806660_medium=notification_source=email. Or unsubscribe from *all* email updating your settings at https://app.travis-ci.com/account/preferences/unsubscribe?utm_medium=notification_source=email. Or configure specific recipients for build notifications in your .travis.yml file. See https://docs.travis-ci.com/user/notifications.
Re: svn commit: r1894024 - in /httpd/httpd/trunk: docs/log-message-tags/next-number modules/mappers/mod_alias.c
On 10/8/21 5:21 PM, Yann Ylavic wrote: > On Fri, Oct 8, 2021 at 12:49 PM wrote: >> >> Author: rpluem >> Date: Fri Oct 8 10:49:06 2021 >> New Revision: 1894024 >> >> URL: http://svn.apache.org/viewvc?rev=1894024=rev >> Log: >> * Make aliases more robust against potential traversal attacks, by using >> apr_filepath_merge to merge the real path and the remainder of the fake >> path like we do in the same situation for resources mapped by >> DocumentRoot. >> > [] >> >> --- httpd/httpd/trunk/modules/mappers/mod_alias.c (original) >> +++ httpd/httpd/trunk/modules/mappers/mod_alias.c Fri Oct 8 10:49:06 2021 > [] >> @@ -553,8 +556,41 @@ static char *try_alias_list(request_rec >> >> found = apr_pstrcat(r->pool, alias->real, escurl, NULL); >> } >> -else >> +else if (is_redir) { > > This is dead code because the first "if" tests for that already, > should this block be removed then? Good catch. r1894034. > >> found = apr_pstrcat(r->pool, alias->real, r->uri + l, >> NULL); >> +} >> +else { >> +apr_status_t rv; >> +char *fake = r->uri + l; >> + >> +/* >> + * For the apr_filepath_merge below we need a relative >> path >> + * Hence skip all leading '/' >> + */ >> +while (*fake == '/') { >> +fake++; >> +} >> + >> +/* Merge if there is something left to merge */ >> +if (*fake) { >> +if ((rv = apr_filepath_merge(, alias->real, >> fake, >> + APR_FILEPATH_TRUENAME >> + | >> APR_FILEPATH_SECUREROOT, r->pool)) >> +!= APR_SUCCESS) { >> +ap_log_rerror(APLOG_MARK, APLOG_ERR, rv, r, >> APLOGNO(10297) >> + "Cannot map %s to file", >> r->the_request); >> +return MERGE_ERROR; >> +} >> +canon = 0; >> +} >> +else { >> +/* >> + * r->uri + l might be either pointing to \0 or to a >> + * string full of '/'s. Hence we need to cat. >> + */ >> +found = apr_pstrcat(r->pool, alias->real, r->uri + >> l, NULL); >> +} >> +} >> } >> } >> >> @@ -568,7 +604,7 @@ static char *try_alias_list(request_rec >> * canonicalized. After I finish eliminating os canonical. >> * Better fail test for ap_server_root_relative needed here. >> */ >> -if (!is_redir) { >> +if (!is_redir && canon) { >> found = ap_server_root_relative(r->pool, found); > > I wonder if we shouldn't add APR_FILEPATH_NOTABOVEROOT in > ap_server_root_relative() too. Not sure. I guess ap_server_root_relative() origins from a different use case processing more trusted data like in configuration files where /../ going above the root might be fine. Furthermore it does not help if the path given to ap_server_root_relative is absolute and the path itself does not go beyond root. e.g /www/docs/../../etc/passwd would not create any failure. Regards Rüdiger
Re: ap_server_root_relative
On Fri, Oct 8, 2021 at 3:23 PM ste...@eissing.org wrote: > > Yann, thanks for you PRs. Just one thing: > > ap_server_root_relative("/") -> "/" > > in my reading of the code. Why am I wrong? Nothing wrong, it was my bad, but ap_server_root_relative() normalizes too so: ap_server_root_relative("/here/../there") -> "/there" And Before Rüdiger's r1894024, mod_alias could have: ap_server_root_relative("/here/../../there") -> "/there" Cheers; Yann.
Re: svn commit: r1894024 - in /httpd/httpd/trunk: docs/log-message-tags/next-number modules/mappers/mod_alias.c
On Fri, Oct 8, 2021 at 12:49 PM wrote: > > Author: rpluem > Date: Fri Oct 8 10:49:06 2021 > New Revision: 1894024 > > URL: http://svn.apache.org/viewvc?rev=1894024=rev > Log: > * Make aliases more robust against potential traversal attacks, by using > apr_filepath_merge to merge the real path and the remainder of the fake > path like we do in the same situation for resources mapped by > DocumentRoot. > [] > > --- httpd/httpd/trunk/modules/mappers/mod_alias.c (original) > +++ httpd/httpd/trunk/modules/mappers/mod_alias.c Fri Oct 8 10:49:06 2021 [] > @@ -553,8 +556,41 @@ static char *try_alias_list(request_rec > > found = apr_pstrcat(r->pool, alias->real, escurl, NULL); > } > -else > +else if (is_redir) { This is dead code because the first "if" tests for that already, should this block be removed then? > found = apr_pstrcat(r->pool, alias->real, r->uri + l, > NULL); > +} > +else { > +apr_status_t rv; > +char *fake = r->uri + l; > + > +/* > + * For the apr_filepath_merge below we need a relative > path > + * Hence skip all leading '/' > + */ > +while (*fake == '/') { > +fake++; > +} > + > +/* Merge if there is something left to merge */ > +if (*fake) { > +if ((rv = apr_filepath_merge(, alias->real, > fake, > + APR_FILEPATH_TRUENAME > + | > APR_FILEPATH_SECUREROOT, r->pool)) > +!= APR_SUCCESS) { > +ap_log_rerror(APLOG_MARK, APLOG_ERR, rv, r, > APLOGNO(10297) > + "Cannot map %s to file", > r->the_request); > +return MERGE_ERROR; > +} > +canon = 0; > +} > +else { > +/* > + * r->uri + l might be either pointing to \0 or to a > + * string full of '/'s. Hence we need to cat. > + */ > +found = apr_pstrcat(r->pool, alias->real, r->uri + > l, NULL); > +} > +} > } > } > > @@ -568,7 +604,7 @@ static char *try_alias_list(request_rec > * canonicalized. After I finish eliminating os canonical. > * Better fail test for ap_server_root_relative needed here. > */ > -if (!is_redir) { > +if (!is_redir && canon) { > found = ap_server_root_relative(r->pool, found); I wonder if we shouldn't add APR_FILEPATH_NOTABOVEROOT in ap_server_root_relative() too. Not that it helps here after your changes, but since we are on robustness.. > } Regards; Yann.
ap_server_root_relative
Yann, thanks for you PRs. Just one thing: ap_server_root_relative("/") -> "/" in my reading of the code. Why am I wrong?
Broken: apache/httpd#2033 (trunk - d8b3d1f)
Build Update for apache/httpd - Build: #2033 Status: Broken Duration: 17 mins and 29 secs Commit: d8b3d1f (trunk) Author: Ruediger Pluem Message: * Make aliases more robust against potential traversal attacks, by using apr_filepath_merge to merge the real path and the remainder of the fake path like we do in the same situation for resources mapped by DocumentRoot. git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1894024 13f79535-47bb-0310-9956-ffa450edef68 View the changeset: https://github.com/apache/httpd/compare/861c15e03c41...d8b3d1f0f6ed View the full build log and details: https://app.travis-ci.com/github/apache/httpd/builds/239420393?utm_medium=notification_source=email -- You can unsubscribe from build emails from the apache/httpd repository going to https://app.travis-ci.com/account/preferences/unsubscribe?repository=16806660_medium=notification_source=email. Or unsubscribe from *all* email updating your settings at https://app.travis-ci.com/account/preferences/unsubscribe?utm_medium=notification_source=email. Or configure specific recipients for build notifications in your .travis.yml file. See https://docs.travis-ci.com/user/notifications.
Re: svn commit: r1894021 - /httpd/httpd/trunk/server/util.c
HE CHANGED THE SACRED CODE! 浪 > Am 08.10.2021 um 11:02 schrieb rpl...@apache.org: > > Author: rpluem > Date: Fri Oct 8 09:02:30 2021 > New Revision: 1894021 > > URL: http://svn.apache.org/viewvc?rev=1894021=rev > Log: > * Optimize performance by moving calculation of loop invariant out of the loop > > Modified: >httpd/httpd/trunk/server/util.c > > Modified: httpd/httpd/trunk/server/util.c > URL: > http://svn.apache.org/viewvc/httpd/httpd/trunk/server/util.c?rev=1894021=1894020=1894021=diff > == > --- httpd/httpd/trunk/server/util.c (original) > +++ httpd/httpd/trunk/server/util.c Fri Oct 8 09:02:30 2021 > @@ -505,6 +505,7 @@ AP_DECLARE(int) ap_normalize_path(char * > int ret = 1; > apr_size_t l = 1, w = 1, n; > int decode_unreserved = (flags & AP_NORMALIZE_DECODE_UNRESERVED) != 0; > +int merge_slashes = (flags & AP_NORMALIZE_MERGE_SLASHES) != 0; > > if (!IS_SLASH(path[0])) { > /* Besides "OPTIONS *", a request-target should start with '/' > @@ -549,7 +550,7 @@ AP_DECLARE(int) ap_normalize_path(char * > > if (w == 0 || IS_SLASH(path[w - 1])) { > /* Collapse / sequences to / */ > -if ((flags & AP_NORMALIZE_MERGE_SLASHES) && IS_SLASH(path[l])) { > +if (merge_slashes && IS_SLASH(path[l])) { > do { > l++; > } while (IS_SLASH(path[l])); > >
Re: Ineract with travis? (was: Errored: apache/httpd#1888 (trunk - 47e6ece))
On Fri, Sep 24, 2021 at 02:28:15PM +0200, Yann Ylavic wrote: > On Fri, Sep 24, 2021 at 2:06 PM Yann Ylavic wrote: > > > > On Mon, Sep 6, 2021 at 5:30 PM Joe Orton wrote: > > > > > > If you're logged into Github you can restart > > > individual jobs which are Errored, which I've done just now. > > > > I'm logged into Github+Travis with my ASF account (travis seems to > > recognize me as a member of the ASF org) but somehow I can't interact > > with jobs (restart/cancel). > > > > Anything special to do in my settings (that I missed) or is it > > something to ask of infra or Joe (which seems to have some karma > > already)? > > I have apache/httpd-site, apache/www-site and some > apache/infrastructure-* auto-registered in "My Repositories" (for > which I can trigger builds, can't find cancel though), but > apache/httpd is not in the list so I think that's why.. Did you work out how to do this? I never asked for special rights here AFAIK, I assumed everybody in the "httpd-committers" group could do it, but your github user is listed there too: https://github.com/orgs/apache/teams/httpd-committers/members Regards, Joe
annou...@httpd.apache.org missing
The 2.4.51 announcement on annou...@httpd.apache.org did not make it, as seen in the mailing list archives. I have no idea why not. Any moderator of that list here? - Stefan