httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Greg Stein <gst...@gmail.com>
Subject Re: [PATCH PR55304] mod_dav: COPY should not validate the parent of request.
Date Wed, 24 Jul 2013 21:24:42 GMT
Fixed in r1506714, and proposed for backport to 2.2.x and 2.4.x.

On Wed, Jul 24, 2013 at 3:38 PM, Ben Reser <ben@reser.org> wrote:
> This patch fixes a regression created by the PR54610.  COPY does not
> modify the parent of the source, so it should not be validating the
> parent.  This issue actually disallows the ability to COPY the root of
> a DAV repository since a properly implemented DAV provider will return
> NULL and dav_method_copymove() will error on that.
>
> We ran into this with Subversion, which actually revealed a security
> issue with our implementation of get_parent_resource() since it failed
> on the root.  But beyond that we realized we were not properly
> returning NULL for some resources when the resource is the root and
> thus has no parent.  If we fix this without this patch being made to
> mod_dav then HTTP 2.2.25 and 2.4.6 will lose the ability to COPY the
> root.
>
> If someone can apply it that would be appreciated.  It's certainly
> been looked at by several eyes over on the Subversion side.

Mime
View raw message