Mailing-List: contact modperl-help@perl.apache.org; run by ezmlm
Precedence: bulk
Received-SPF: pass (athena.apache.org: domain of trawick@gmail.com designates
 72.14.220.155 as permitted sender)
DomainKey-Signature: a=rsa-sha1; c=nofws;
        d=gmail.com; s=gamma;
        h=mime-version:in-reply-to:references:date:message-id:subject:from:to
         :content-type;
        b=ZjQvgV74oVIhAb9S4ZUfIjYNJEoSbbCy+LPzjpdR9FPXuh50r9ZI6nhUHgFOFKSprZ
         sEWhniuz2yDsrAlt0zUh+qY+Ew4UdUGj6V5yGE1Curm1Ua93jYn6xS6yIPonU2aihxr3
         IIzZp0z5a/7Irx08Su70WAFpmNYBFr9NKnLio=
MIME-Version: 1.0
In-Reply-To: <20090520125319.GB2601@redhat.com>
References: <20090512131730.1F03F2388842@eris.apache.org>
	 <cc67648e0905170815u640bbaf6j302dd35f1b29847@mail.gmail.com>
	 <20090520125319.GB2601@redhat.com>
Date: Thu, 21 May 2009 14:39:57 -0400
Message-ID: <cc67648e0905211139k3dc293cbyfc2dea28067416b5@mail.gmail.com>
Subject: Re: svn commit: r773881 - in /httpd/httpd/branches/2.2.x: CHANGES
	STATUS include/http_core.h modules/filters/mod_include.c server/config.c
	server/core.c
From: Jeff Trawick <trawick@gmail.com>
To: dev@httpd.apache.org, modperl@perl.apache.org
Content-Type: multipart/alternative; boundary=000e0cd25016855441046a70786d

--000e0cd25016855441046a70786d
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit

On Wed, May 20, 2009 at 8:53 AM, Joe Orton <jorton@redhat.com> wrote:

> On Sun, May 17, 2009 at 11:15:00AM -0400, Jeff Trawick wrote:
> > On Tue, May 12, 2009 at 9:17 AM, <covener@apache.org> wrote:
> >
> > > Author: covener
> > > Date: Tue May 12 13:17:29 2009
> > > New Revision: 773881
> > >
> > > URL: http://svn.apache.org/viewvc?rev=773881&view=rev
> > > Log:
> > > backport 772997, 773322, 773342 from trunk.
> > > Reviewed By: jorton, rpluem, covener
> > >
> > > Security fix for CVE-2009-1195: fix Options handling such that
> > > 'AllowOverride Options=IncludesNoExec' does not permit Includes with
> > > exec= enabled to be configured in an .htaccess file:
> > >
> > > * include/http_core.h: Change semantics of Includes/IncludeNoExec
> > >  options bits to be additive; OPT_INCLUDES now means SSI is enabled
> > >  without exec=.  OPT_INCLUDES|OPT_INC_WITH_EXEC means SSI is enabled
> > >  with exec=.
> >
> >
> > Current mod_perl tarballs reference OPT_INC_WITH_EXEC as part of mapping
> the
> > httpd API into perl, and the mod_perl build fails because of this.
> >
> > ("modperl_config.c", line 525: undefined symbol: OPT_INCNOEXEC)
>
> Ick :( For some reason I thought this was hidden by CORE_PRIVATE, for
> what little that's worth.
>
> > While I don't understand why the mod_perl mappings are created at release
> > time against who knows what httpd, it brings up an interesting httpd
> issue
> > anyway.
> >
> > If some module does have OPT_INCNOEXEC baked in (32), it matches what
> > 2.2.12+ thinks is OPT_INC_WITH_EXEC.  Similarly, the old
> OPT_INC_WITH_EXEC
> > (previously called OPT_INCLUDES), maps what 2.2.12+ thinks is
> > OPT_INCLUDES-without-exec.
> >
> > We could swap the values of OPT_INCLUDES and OPT_INC_WITH_EXEC to lessen
> the
> > chance of some theoretical module making the wrong decision.
> >
> > We can also define OPT_INCNOEXEC to something (either the new
> OPT_INCLUDES
> > or "Get your mod_perl patch at XXX").
>
> Given that the semantics of the options has changed, I don't think it's
> worth changing httpd to maintain any pretence of compile-time or
> run-time compatibility here.  Any code using the OPT_* constants as
> exposed by mod_perl cannot work as expected any more.
>
> Regards, Joe
>

Is the change in semantics required to fix the bug, or is it simply the
current implementation?

As these constants and the related ap_allow_options() have been exposed to
the C API for eons, and passed through in API mappings such as mod_perl, it
is worth making an alternate fix to avoid breaking module compiles and
(potentially) module misbehavior when upgrading from 2.2.11 to 2.2.12.

Unfortunately I don't have a patch :(

Does somebody else care to share their opinion on this?  Which of these are
okay?

- existing mod_perl releases (and potentially other third-party modules)
won't compile with 2.2.12
- existing Perl modules (and potentially other third-party modules) will
confuse include-with-exec and include-without-exec

--000e0cd25016855441046a70786d
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable

<div class=3D"gmail_quote">On Wed, May 20, 2009 at 8:53 AM, Joe Orton <span=
 dir=3D"ltr">&lt;<a href=3D"mailto:jorton@redhat.com">jorton@redhat.com</a>=
&gt;</span> wrote:<br><blockquote class=3D"gmail_quote" style=3D"border-lef=
t: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1=
ex;">
<div class=3D"im">On Sun, May 17, 2009 at 11:15:00AM -0400, Jeff Trawick wr=
ote:<br>
&gt; On Tue, May 12, 2009 at 9:17 AM, &lt;<a href=3D"mailto:covener@apache.=
org">covener@apache.org</a>&gt; wrote:<br>
&gt;<br>
&gt; &gt; Author: covener<br>
&gt; &gt; Date: Tue May 12 13:17:29 2009<br>
&gt; &gt; New Revision: 773881<br>
&gt; &gt;<br>
&gt; &gt; URL: <a href=3D"http://svn.apache.org/viewvc?rev=3D773881&amp;vie=
w=3Drev" target=3D"_blank">http://svn.apache.org/viewvc?rev=3D773881&amp;vi=
ew=3Drev</a><br>
&gt; &gt; Log:<br>
&gt; &gt; backport 772997, 773322, 773342 from trunk.<br>
&gt; &gt; Reviewed By: jorton, rpluem, covener<br>
&gt; &gt;<br>
&gt; &gt; Security fix for CVE-2009-1195: fix Options handling such that<br=
>
&gt; &gt; &#39;AllowOverride Options=3DIncludesNoExec&#39; does not permit =
Includes with<br>
&gt; &gt; exec=3D enabled to be configured in an .htaccess file:<br>
&gt; &gt;<br>
&gt; &gt; * include/http_core.h: Change semantics of Includes/IncludeNoExec=
<br>
&gt; &gt; =A0options bits to be additive; OPT_INCLUDES now means SSI is ena=
bled<br>
&gt; &gt; =A0without exec=3D. =A0OPT_INCLUDES|OPT_INC_WITH_EXEC means SSI i=
s enabled<br>
&gt; &gt; =A0with exec=3D.<br>
&gt;<br>
&gt;<br>
&gt; Current mod_perl tarballs reference OPT_INC_WITH_EXEC as part of mappi=
ng the<br>
&gt; httpd API into perl, and the mod_perl build fails because of this.<br>
&gt;<br>
&gt; (&quot;modperl_config.c&quot;, line 525: undefined symbol: OPT_INCNOEX=
EC)<br>
<br>
</div>Ick :( For some reason I thought this was hidden by CORE_PRIVATE, for=
<br>
what little that&#39;s worth.<br>
<div class=3D"im"><br>
&gt; While I don&#39;t understand why the mod_perl mappings are created at =
release<br>
&gt; time against who knows what httpd, it brings up an interesting httpd i=
ssue<br>
&gt; anyway.<br>
&gt;<br>
&gt; If some module does have OPT_INCNOEXEC baked in (32), it matches what<=
br>
&gt; 2.2.12+ thinks is OPT_INC_WITH_EXEC. =A0Similarly, the old OPT_INC_WIT=
H_EXEC<br>
&gt; (previously called OPT_INCLUDES), maps what 2.2.12+ thinks is<br>
&gt; OPT_INCLUDES-without-exec.<br>
&gt;<br>
&gt; We could swap the values of OPT_INCLUDES and OPT_INC_WITH_EXEC to less=
en the<br>
&gt; chance of some theoretical module making the wrong decision.<br>
&gt;<br>
&gt; We can also define OPT_INCNOEXEC to something (either the new OPT_INCL=
UDES<br>
&gt; or &quot;Get your mod_perl patch at XXX&quot;).<br>
<br>
</div>Given that the semantics of the options has changed, I don&#39;t thin=
k it&#39;s<br>
worth changing httpd to maintain any pretence of compile-time or<br>
run-time compatibility here. =A0Any code using the OPT_* constants as<br>
exposed by mod_perl cannot work as expected any more.<br>
<br>
Regards, Joe<br>
</blockquote></div><br>Is the change in semantics required to fix the bug, =
or is it simply the current implementation?<br><br>As these constants and t=
he related ap_allow_options() have been exposed to the C API for eons, and =
passed through in API mappings such as mod_perl, it is worth making an alte=
rnate fix to avoid breaking module compiles and (potentially) module misbeh=
avior when upgrading from 2.2.11 to 2.2.12.<br>
<br>Unfortunately I don&#39;t have a patch :(<br><br>Does somebody else car=
e to share their opinion on this?=A0 Which of these are okay?<br><br>- exis=
ting mod_perl releases (and potentially other third-party modules) won&#39;=
t compile with 2.2.12<br>
- existing Perl modules (and potentially other third-party modules) will co=
nfuse include-with-exec and include-without-exec<br><br>

--000e0cd25016855441046a70786d--