httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Ruediger Pluem <rpl...@apache.org>
Subject Re: svn commit: r1663123 - in /httpd/httpd/trunk: CHANGES docs/manual/expr.xml docs/manual/mod/mod_authn_core.xml modules/aaa/mod_authn_core.c
Date Fri, 06 Mar 2015 15:43:20 GMT


On 03/01/2015 03:37 PM, minfrin@apache.org wrote:
> Author: minfrin
> Date: Sun Mar  1 14:37:11 2015
> New Revision: 1663123
> 
> URL: http://svn.apache.org/r1663123
> Log:
> mod_authn_core: Add expression support to AuthName and AuthType.
> 
> Modified:
>     httpd/httpd/trunk/CHANGES
>     httpd/httpd/trunk/docs/manual/expr.xml
>     httpd/httpd/trunk/docs/manual/mod/mod_authn_core.xml
>     httpd/httpd/trunk/modules/aaa/mod_authn_core.c


This causes a test case in the framework to fail. I guess just the test case is wrong, but
it should be fixed:

# Running under perl version 5.010001 for linux
# Current time local: Fri Mar  6 16:32:45 2015
# Current time GMT:   Fri Mar  6 15:32:45 2015
# Using Test.pm version 1.25_02
# Using Apache/Test.pm version 1.38
# testing : CAN-2004-0747 ap_resolve_env test case
# expected: 200
# received: '500'
not ok 1
# Failed test 1 in t/security/CVE-2004-0747.t at line 14
Failed 1/1 subtests

Test Summary Report
-------------------
t/security/CVE-2004-0747.t (Wstat: 0 Tests: 1 Failed: 1)
  Failed test:  1
Files=1, Tests=1,  0 wallclock secs ( 0.01 usr  0.01 sys +  0.36 cusr  0.07 csys =  0.45 CPU)
Result: FAIL
Failed 1/1 test programs. 1/1 subtests failed.


error_log:

[Fri Mar 06 15:32:45.428836 2015] [core:alert] [pid 10177:tid 140546563634944] [client 127.0.0.1:40823]
/usr/src/apache/perl-framework-trunk/t/htdocs/security/CAN-2004-0747/.htaccess: Cannot parse
expression '

This is also reminds me that this could slow down .htaccess processing considerably since
we need to parse the
expression for each request where we have a .htaccess with this directive in place. Furthermore
do we open up any stuff
that malicious users with access to .htaccess could do with expressions that they are not
expected to do?
If so is it possible to limit expression support just to the case the directive is not in
.htaccess?

Regards

RĂ¼diger

Mime
View raw message