httpd-test-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Joe Orton <jor...@redhat.com>
Subject Re: cvs commit: httpd-test/perl-framework/t/security CAN-2004-0940.t
Date Thu, 28 Oct 2004 19:37:52 GMT
On Thu, Oct 28, 2004 at 03:19:32PM -0400, Geoffrey Young wrote:
> 
> 
> jorton@apache.org wrote:
> > jorton      2004/10/25 06:04:14
> > 
> >   Modified:    perl-framework/t/conf extra.conf.in
> >   Added:       perl-framework/t/htdocs/security CAN-2004-0940.shtml
> >                perl-framework/t/security CAN-2004-0940.t
> >   Log:
> >   Regression test for CAN-2004-0940, 1.3 mod_include overflow.
> 
> hi joe :)
> 
> I get the following failures on 1.3.32 but not on 1.3.33.
> 
> t/modules/rewrite.t                      22    2   9.09%  18 20
> t/security/CAN-2004-0940.t                1    1 100.00%  1

Those bugs are present in 1.3.32, so that's expected.

> t/security/CAN-2004-0958.t                9    2  22.22%  1 3

Did you change PHP version too? That's a PHP test, the result shouldn't
change unless you change PHP version too with 1.3.33?
 
> I think these are all recent additions from you.  should each of these
> failures be skipped unless something like
> 
>   ( have_apache(1) && have_min_apache_version(1.3.33) ) ||
>   ( have_apache(2) && have_min_apache_version(2.0.XX) )

Welll... we started having this debate a while back :)

Here's my take: I think it's correct to:

1) only test for new features in versions on which they are known to be 
present

2) test for bugs in all versions unconditionally in all affected
versions

I think it's the desired outcome that if you test 1.3.32 for
CAN-2004-0940, it should fail: 1.3.32 is after all vulnerable to
CAN-2004-0940.  Why hide that by skipping the test?  Likewise, if you're
running 1.3.32 you *should* be told that there is a nasty mod_rewrite
regression in that version.

Maybe I'm hawking my corporate agenda here a little too, because it
makes httpd-test slightly more useful to me since I can test for 1.3.x +
backported patch, whereas if the test was skipped for <1.3.33 it won't
demonstrate that the code is patched.

Does that make sense?

joe




Mime
View raw message