You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@subversion.apache.org by ph...@apache.org on 2016/02/25 14:13:24 UTC

svn commit: r1732294 - in /subversion/trunk: Makefile.in build/ac-macros/apache.m4 build/run_tests.py configure.ac subversion/tests/cmdline/svntest/main.py

Author: philip
Date: Thu Feb 25 13:13:23 2016
New Revision: 1732294

URL: http://svn.apache.org/viewvc?rev=1732294&view=rev
Log:
Add --enable-apache-whitelist configure option.  Subversion's configure
script blacklists some old, buggy, Apache versions and refuses to build
while some distributions ship these old versions with patches to fix
the bugs.  Whitelisting an Apache version will override the blacklist
and allow Subversion to build.

Subversion has regression tests for the buggy Apache behaviour and
whitelisting will change the expected behaviour for these tests from
XFAIL to PASS. As an example: using --enable-apache-whitelist=2.4.6
on an up-to-date CentOS 7 will allow Subversion to build and the
regression tests will PASS.

* configure.ac: Add --enable-apache-whitelist.

* build/ac-macros/apache.m4
  (SVN_FIND_APACHE): Check whitelist, tweak help text for
   --enable-broken-httpd-auth.

* Makefile.in
  (HTTPD_WHITELIST): New.
  (check): Pass --httpd-whitelist.

* build/run_tests.py
  (TestHarness.__init__, TestHarness._run_py_test, main): Add httpd_whitelist.

* subversion/tests/cmdline/svntest/main.py
  (is_mod_dav_url_quoting_broken): Check whitelist.
  (TestSpawningThread.run_one): Handle --httpd-whitelist.
  (_create_parser): Add --httpd-whitelist.

Modified:
    subversion/trunk/Makefile.in
    subversion/trunk/build/ac-macros/apache.m4
    subversion/trunk/build/run_tests.py
    subversion/trunk/configure.ac
    subversion/trunk/subversion/tests/cmdline/svntest/main.py

Modified: subversion/trunk/Makefile.in
URL: http://svn.apache.org/viewvc/subversion/trunk/Makefile.in?rev=1732294&r1=1732293&r2=1732294&view=diff
==============================================================================
--- subversion/trunk/Makefile.in (original)
+++ subversion/trunk/Makefile.in Thu Feb 25 13:13:23 2016
@@ -371,6 +371,7 @@ INSTALL_EXTRA_SWIG_RB=\
 
 APXS = @APXS@
 HTTPD_VERSION = @HTTPD_VERSION@
+HTTPD_WHITELIST = @HTTPD_WHITELIST@
 
 PYTHON = @PYTHON@
 PERL = @PERL@
@@ -540,6 +541,9 @@ check: bin @TRANSFORM_LIBTOOL_SCRIPTS@ $
 	  if test "$(HTTPD_VERSION)" != ""; then                             \
 	     flags="--httpd-version $(HTTPD_VERSION) $$flags";               \
 	  fi;                                                                \
+	  if test "$(HTTPD_WHITELIST)" != ""; then                           \
+	     flags="--httpd-whitelist $(HTTPD_WHITELIST) $$flags";           \
+	  fi;                                                                \
 	  if test "$(SERVER_MINOR_VERSION)" != ""; then                      \
 	    flags="--server-minor-version $(SERVER_MINOR_VERSION) $$flags";  \
 	  fi;                                                                \

Modified: subversion/trunk/build/ac-macros/apache.m4
URL: http://svn.apache.org/viewvc/subversion/trunk/build/ac-macros/apache.m4?rev=1732294&r1=1732293&r2=1732294&view=diff
==============================================================================
--- subversion/trunk/build/ac-macros/apache.m4 (original)
+++ subversion/trunk/build/ac-macros/apache.m4 Thu Feb 25 13:13:23 2016
@@ -30,6 +30,8 @@ AC_REQUIRE([AC_CANONICAL_HOST])
 
 HTTPD_WANTED_MMN="$1"
 
+HTTPD_WHITELIST_VER="$2"
+
 AC_MSG_CHECKING(for Apache module support via DSO through APXS)
 AC_ARG_WITH(apxs,
             [AS_HELP_STRING([[--with-apxs[=FILE]]],
@@ -102,6 +104,9 @@ if test -n "$APXS" && test "$APXS" != "n
   HTTPD_PATCH=`$SED -ne '/^#define AP_SERVER_PATCHLEVEL_NUMBER/p' "$APXS_INCLUDE/ap_release.h" | $SED -e 's/^.*NUMBER *//'`
   HTTPD_VERSION="${HTTPD_MAJOR}.${HTTPD_MINOR}.${HTTPD_PATCH}"
   case "$HTTPD_VERSION" in
+    $HTTPD_WHITELIST_VER)
+      AC_MSG_RESULT([acceptable (whitelist)])
+      ;;
     2.2.25 | 2.4.[[5-6]])
       AC_MSG_RESULT([broken])
       AC_MSG_ERROR([Apache httpd version $HTTPD_VERSION includes a broken mod_dav; use a newer version of httpd])
@@ -171,7 +176,9 @@ if test -n "$APXS" && test "$APXS" != "n
       # API but the installation may have been patched.
       AC_ARG_ENABLE(broken-httpd-auth,
         AS_HELP_STRING([--enable-broken-httpd-auth],
-                       [Force build against httpd 2.4 with broken auth]),
+                       [Force build against httpd 2.4 with broken auth. (This
+                        is not recommended as Subversion will be vulnerable to
+                        CVE-2015-3184.)]),
         [broken_httpd_auth=$enableval],[broken_httpd_auth=no])
       AC_MSG_CHECKING([for ap_some_authn_required])
       old_CPPFLAGS="$CPPFLAGS"

Modified: subversion/trunk/build/run_tests.py
URL: http://svn.apache.org/viewvc/subversion/trunk/build/run_tests.py?rev=1732294&r1=1732293&r2=1732294&view=diff
==============================================================================
--- subversion/trunk/build/run_tests.py (original)
+++ subversion/trunk/build/run_tests.py Thu Feb 25 13:13:23 2016
@@ -30,7 +30,7 @@
             [--fs-type=<fs-type>] [--fsfs-packing] [--fsfs-sharding=<n>]
             [--list] [--milestone-filter=<regex>] [--mode-filter=<type>]
             [--server-minor-version=<version>] [--http-proxy=<host>:<port>]
-            [--httpd-version=<version>]
+            [--httpd-version=<version>] [--httpd-whitelist=<version>]
             [--config-file=<file>] [--ssl-cert=<file>]
             [--exclusive-wc-locks] [--memcached-server=<url:port>]
             <abs_srcdir> <abs_builddir>
@@ -259,6 +259,8 @@ class TestHarness:
       cmdline.append('--http-proxy-password=%s' % self.opts.http_proxy_password)
     if self.opts.httpd_version is not None:
       cmdline.append('--httpd-version=%s' % self.opts.httpd_version)
+    if self.opts.httpd_whitelist is not None:
+      cmdline.append('--httpd-whitelist=%s' % self.opts.httpd_whitelist)
     if self.opts.exclusive_wc_locks is not None:
       cmdline.append('--exclusive-wc-locks')
     if self.opts.memcached_server is not None:
@@ -999,6 +1001,8 @@ def create_parser():
                     help='Password for the HTTP Proxy.')
   parser.add_option('--httpd-version', action='store',
                     help='Assume HTTPD is this version.')
+  parser.add_option('--httpd-whitelist', action='store',
+                    help='Assume HTTPD whitelist is this version.')
   parser.add_option('--exclusive-wc-locks', action='store_true',
                     help='Use sqlite exclusive locking for working copies')
   parser.add_option('--memcached-server', action='store',

Modified: subversion/trunk/configure.ac
URL: http://svn.apache.org/viewvc/subversion/trunk/configure.ac?rev=1732294&r1=1732293&r2=1732294&view=diff
==============================================================================
--- subversion/trunk/configure.ac (original)
+++ subversion/trunk/configure.ac Thu Feb 25 13:13:23 2016
@@ -136,9 +136,18 @@ if test "$svn_lib_apr_memcache" = "yes";
             [Defined if apr_memcache (standalone or in apr-util) is present])
 fi
 
+AC_ARG_ENABLE(apache-whitelist,
+  AS_HELP_STRING([--enable-apache-whitelist=VER],
+                 [Whitelist a particular Apache version number,
+                  typically used to enable the use of a old version
+                  patched by a distribution.]),
+                 [apache_whitelist_ver=$enableval],
+                 [apache_whitelist_ver=no])
+HTTPD_WHITELIST="$apache_whitelist_ver"
+AC_SUBST(HTTPD_WHITELIST)
 
 dnl Find Apache with a recent-enough magic module number
-SVN_FIND_APACHE(20051115)
+SVN_FIND_APACHE(20051115, $apache_whitelist_ver)
 
 dnl Search for SQLite.  If you change SQLITE_URL from a .zip to
 dnl something else also update build/ac-macros/sqlite.m4 to reflect

Modified: subversion/trunk/subversion/tests/cmdline/svntest/main.py
URL: http://svn.apache.org/viewvc/subversion/trunk/subversion/tests/cmdline/svntest/main.py?rev=1732294&r1=1732293&r2=1732294&view=diff
==============================================================================
--- subversion/trunk/subversion/tests/cmdline/svntest/main.py (original)
+++ subversion/trunk/subversion/tests/cmdline/svntest/main.py Thu Feb 25 13:13:23 2016
@@ -1571,7 +1571,7 @@ __mod_dav_url_quoting_broken_versions =
     '2.4.5',
 ])
 def is_mod_dav_url_quoting_broken():
-    if is_ra_type_dav():
+    if is_ra_type_dav() and options.httpd_version != options.httpd_whitelist:
         return (options.httpd_version in __mod_dav_url_quoting_broken_versions)
     return None
 
@@ -1643,6 +1643,8 @@ class TestSpawningThread(threading.Threa
       args.append('--http-proxy-password=' + options.http_proxy_password)
     if options.httpd_version:
       args.append('--httpd-version=' + options.httpd_version)
+    if options.httpd_whitelist:
+      args.append('--httpd-whitelist=' + options.httpd_whitelist)
     if options.exclusive_wc_locks:
       args.append('--exclusive-wc-locks')
     if options.memcached_server:
@@ -2059,6 +2061,8 @@ def _create_parser(usage=None):
                     help='Password for the HTTP Proxy.')
   parser.add_option('--httpd-version', action='store',
                     help='Assume HTTPD is this version.')
+  parser.add_option('--httpd-whitelist', action='store',
+                    help='httpd whitelist version.')
   parser.add_option('--tools-bin', action='store', dest='tools_bin',
                     help='Use the svn tools installed in this path')
   parser.add_option('--exclusive-wc-locks', action='store_true',