Return-Path: X-Original-To: apmail-subversion-dev-archive@minotaur.apache.org Delivered-To: apmail-subversion-dev-archive@minotaur.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 47924182C2 for ; Fri, 9 Oct 2015 18:20:37 +0000 (UTC) Received: (qmail 99915 invoked by uid 500); 9 Oct 2015 18:20:37 -0000 Delivered-To: apmail-subversion-dev-archive@subversion.apache.org Received: (qmail 99864 invoked by uid 500); 9 Oct 2015 18:20:36 -0000 Mailing-List: contact dev-help@subversion.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Delivered-To: mailing list dev@subversion.apache.org Received: (qmail 99852 invoked by uid 99); 9 Oct 2015 18:20:36 -0000 Received: from Unknown (HELO spamd2-us-west.apache.org) (209.188.14.142) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 09 Oct 2015 18:20:36 +0000 Received: from localhost (localhost [127.0.0.1]) by spamd2-us-west.apache.org (ASF Mail Server at spamd2-us-west.apache.org) with ESMTP id 8FAA71A082D for ; Fri, 9 Oct 2015 18:20:35 +0000 (UTC) X-Virus-Scanned: Debian amavisd-new at spamd2-us-west.apache.org X-Spam-Flag: NO X-Spam-Score: -0.12 X-Spam-Level: X-Spam-Status: No, score=-0.12 tagged_above=-999 required=6.31 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=disabled Authentication-Results: spamd2-us-west.apache.org (amavisd-new); dkim=pass (1024-bit key) header.d=wandisco.com Received: from mx1-us-west.apache.org ([10.40.0.8]) by localhost (spamd2-us-west.apache.org [10.40.0.9]) (amavisd-new, port 10024) with ESMTP id Fk7-WuskgAGm for ; Fri, 9 Oct 2015 18:20:26 +0000 (UTC) Received: from mail-wi0-f181.google.com (mail-wi0-f181.google.com [209.85.212.181]) by mx1-us-west.apache.org (ASF Mail Server at mx1-us-west.apache.org) with ESMTPS id 8571220944 for ; Fri, 9 Oct 2015 18:20:25 +0000 (UTC) Received: by wicfx3 with SMTP id fx3so77523085wic.0 for ; Fri, 09 Oct 2015 11:20:24 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=wandisco.com; s=gapps; h=from:to:subject:date:message-id:user-agent:mime-version :content-type; bh=e6KvS3mFo3FxTYbqNmNZewVZUz1zNhAwuFSjloAj8I8=; b=DePR+RSMgH0uAUAEoaTMZW/ZOtJV7xc5qC2WssxJh6QxTb/Xrwb3HzwEvmL/V1v8Xc H4bbkosf5bkGORmTAJAhWhHCJ67llnXa9NHMhdgN7+bNqPRx/98h1b/SF/vhF4HfqEs1 u9PQUMQqlmsfXVtrFVQSPuhoEJpSSkQODFpIg= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:from:to:subject:date:message-id:user-agent :mime-version:content-type; bh=e6KvS3mFo3FxTYbqNmNZewVZUz1zNhAwuFSjloAj8I8=; b=Ms/+o+wcpLAMEVhsXUAwGcHtoEmDzVGCRfOh1dzSSdtA+6L0PfV0TnB9rls+WmYQLq KjziEQR/gEZa1U1UOp/lxdI1S6W3i46WCA3jCnDWCFi94eQoZjFgHzLXjyrfxOlq4Y+M rHCgkDL29wCcuTVJatJCfTYs5u17k5O2gtCcqFb4gBgy7h/IRT/Xuu4JveptWpnsTJFI +c6vPpkqnOfLzzrAtDFixSb3ty3ClSMC48wtPuR/szejBUI+EB+4fbu/THPv7IQ1R6zT PqjobhEw40YQ+O7FPDxuR27iYEwStc+Qb62CSG1rgiOjwIE3QB5SN10vOtdaU1xlvp8p DEMg== X-Gm-Message-State: ALoCoQkic3V4YxbOHwdswpm21Q/ngaSqSYj0rC6g8+nUlFMhGbCV84thi9Cq6RsQnbSKhQTgBoEg X-Received: by 10.180.188.101 with SMTP id fz5mr760023wic.3.1444414824237; Fri, 09 Oct 2015 11:20:24 -0700 (PDT) Received: from localhost (cpc20-farn7-2-0-cust13.6-2.cable.virginm.net. [86.15.228.14]) by smtp.gmail.com with ESMTPSA id uj4sm3467083wjc.34.2015.10.09.11.20.22 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Fri, 09 Oct 2015 11:20:23 -0700 (PDT) From: Philip Martin To: dev@subversion.apache.org, Ben Reser , James McCoy Subject: [PATCH] mod_auth_kerb/mod_auth_ntlm and mod_authz_svn Date: Fri, 09 Oct 2015 19:20:22 +0100 Message-ID: <87io6fewex.fsf@wandisco.com> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.4 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain CVE-2015-3185 for httpd and CVE-2015-3184 for Subversion combined to fix a Subversion authz vulnerability. Following the release (httpd 2.4.16 and Subversion 1.8.14) there have been reports of authn failures with mod_auth_kerb and mod_auth_ntlm. These are 3rd party modules maintained outside the httpd tree. https://bugs.debian.org/797216 https://bugs.debian.org/799105 http://mail-archives.apache.org/mod_mbox/subversion-users/201509.mbox/%3CF3CBF2565B5E6046BC0D960DFE30DDCE78B01E62%40AL-MAIL01.aliconahq.com%3E http://svn.haxx.se/users/archive-2015-09/0063.shtml I believe I have reproduced the mod_auth_kerb problem: $ curl -D- http://localhost:8888/krb/repo/A/B/ HTTP/1.1 401 Unauthorized Date: Fri, 09 Oct 2015 17:32:46 GMT Server: Apache/2.4.17-dev (Unix) OpenSSL/1.0.1k SVN/1.10.0-dev mod_auth_kerb/5.4 Content-Length: 381 Content-Type: text/html; charset=iso-8859-1 ... The 401 is expected here, but the server is sending it without a WWW-Authenticate header. A client that could authenticate, like Subversion, cannot do it because the header is missing and so the client gives up. The cause is this code in mod_authz_svn.c: if (authn_configured) { /* We have to check to see if authn is required because if so we must * return UNAUTHORIZED (401) rather than FORBIDDEN (403) since returning * the 403 leaks information about what paths may exist to * unauthenticated users. We must set a note here in order * to use ap_some_authn_rquired() without triggering an infinite * loop since the call will trigger this function to be called again. */ apr_table_setn(r->notes, IN_SOME_AUTHN_NOTE, (const char*)1); authn_required = ap_some_authn_required(r); apr_table_unset(r->notes, IN_SOME_AUTHN_NOTE); if (authn_required) { ap_note_auth_failure(r); return HTTP_UNAUTHORIZED; } } Returning HTTP_UNAUTHORIZED is part of the CVE fix, mod_authz_svn didn't do this before. The call to ap_note_auth_failure() runs hooks in the authn modules to add the authenticate header and works with modules like mod_auth_basic and mod_auth_digest which use ap_hook_note_auth_failure() to register the hook. However, note_auth_failure is new in 2.4 and the 3rd party mod_auth_kerb or mod_auth_ntlm do not register. That explains why they don't add the header and why authn fails. I don't know whether ap_note_auth_failure is optional or manatory for authn modules in 2.4 so I don't know if the fault lies with mod_dav_svn or mod_auth_kerb/mod_auth_ntlm. I do know that httpd's mod_authz_core uses ap_note_auth_failure(). We could attempt to add the hook to mod_auth_kerb, but we would need to do the same for mod_auth_ntlm (of which there appears to be several variations) as well as any other module that doesn't implement the hook. Before the CVE fix mod_authz_svn would return DECLINED rather than HTTP_UNAUTHORIZED and this allows httpd's ap_process_request_internal() to procede further and invoke mod_auth_kerb via an api it does implement and that adds the authenticate header. I've been experimenting with the patch below that makes mod_authz_svn return DECLINED again. It passes the Subversion regression tests, including the ones added for the CVE. All this authn/authz stuff is very complex and I don't know if this is correct. Index: subversion/mod_authz_svn/mod_authz_svn.c =================================================================== --- subversion/mod_authz_svn/mod_authz_svn.c (revision 1707771) +++ subversion/mod_authz_svn/mod_authz_svn.c (working copy) @@ -954,7 +954,7 @@ access_checker(request_rec *r) #if USE_FORCE_AUTHN if (authn_configured) { /* We have to check to see if authn is required because if so we must - * return UNAUTHORIZED (401) rather than FORBIDDEN (403) since returning + * return DECLINED rather than FORBIDDEN (403) since returning * the 403 leaks information about what paths may exist to * unauthenticated users. We must set a note here in order * to use ap_some_authn_rquired() without triggering an infinite @@ -963,10 +963,7 @@ access_checker(request_rec *r) authn_required = ap_some_authn_required(r); apr_table_unset(r->notes, IN_SOME_AUTHN_NOTE); if (authn_required) - { - ap_note_auth_failure(r); - return HTTP_UNAUTHORIZED; - } + return DECLINED; } #else if (!authn_required) -- Philip Martin WANdisco