"Unable to PUT new contents" - problem with Apache 2.2.25

[Roderich Schupp <ro...@gmail.com>]

Hi,

we recently upgraded our servers to Apache 2.2.25 and Subversion 1.7.11.
Since then several of our users have problems commiting files with blanks
somewhere in the pathname.
Symptoms are always the same:

Apache error_log shows

[Tue Aug 27 16:54:27 2013] [error] [client xx.xx.xx.xx] Unable to PUT new
contents for
/svn/repo/!svn/wrk/dcc67069-7dca-3141-8016-18787681c6d8/My%20Project/AssemblyInfo.vb.
[403, #0]
[Tue Aug 27 16:54:27 2013] [error] [client xx.xx.xx.xx] Could not create
file within the repository.  [404, #160013]
[Tue Aug 27 16:54:27 2013] [error] [client xx.xx.xx.xx] File not found:
transaction '5252-4fa', path '/My%20Project/AssemblyInfo.vb'  [404, #160013]

and the relevant lines from the Apache access_log

xx.xx.xx.xx server jdoe [27/Aug/2013:16:54:26 +0200] "MKACTIVITY
/svn/repo/!svn/act/dcc67069-7dca-3141-8016-18787681c6d8 HTTP/1.1" 201 241
"-" "SVN/1.6.16 (SharpSvn/1.6.16) WIN32/6.1 SharpSvn/1.6016.1637.10768
VisualStudio/9.0.21022.8 AnkhSVN/2.1.10129.17 neon/0.29.5"
...
xx.xx.xx.xx server jdoe [27/Aug/2013:16:54:27 +0200] "CHECKOUT
/svn/repo/!svn/ver/5090/My%20Project/AssemblyInfo.vb HTTP/1.1" 201 375 "-"
"SVN/1.6.16 (SharpSvn/1.6.16) WIN32/6.1 SharpSvn/1.6016.1637.10768
VisualStudio/9.0.21022.8 AnkhSVN/2.1.10129.17 neon/0.29.5"
xx.xx.xx.xx server jdoe [27/Aug/2013:16:54:27 +0200] "PUT
/svn/repo/!svn/wrk/dcc67069-7dca-3141-8016-18787681c6d8/My%2520Project/AssemblyInfo.vb
HTTP/1.1" 404 363 "-" "SVN/1.6.16 (SharpSvn/1.6.16) WIN32/6.1
SharpSvn/1.6016.1637.10768 VisualStudio/9.0.21022.8 AnkhSVN/2.1.10129.17
neon/0.29.5"

Note that the URL in the PUT request looks like it has been URL-encoded
twice
("...%20..." in the CHECKOUT URL got turned into "...%2520...").
The actual Subversion client varies (TortoiseSVN, SharpSVN, SVNKit etc),
but it must be using
the pre-HTTPv2 protocol, e.g. SVN 1.6.x.

I downgraded the server to Apache 2.2.24 and the problem went away.

I traced the actual TCP conversation in one of this cases and the double
URL encoding seen
is caused by the server: it sends the double encoded URL in the Location
header of its
response to the CHECKOUT request.

Cheers, Roderich

Re: "Unable to PUT new contents" - problem with Apache 2.2.25

[Ben Reser <be...@reser.org>]

On 8/30/13 6:03 AM, Roderich Schupp wrote:
> 
> On Fri, Aug 30, 2013 at 10:49 AM, Julian Foad <julianfoad@btopenworld.com
>     Hi Roderich.  Google("Apache 2.2.25 double encoding bug") -> it's a bug in
>     httpd 2.2.25: <https://issues.apache.org/bugzilla/show_bug.cgi?id=55397>. 
>     Ben Reser reported it so hopefully he can tell you any news regarding a
>     fix, but downgrading to 2.2.24 for now would appear to be a good work-around.

I've got some work done on the "correct" fix but haven't finished it because
it's causing some odd behavior with mod_dav_fs and some other tasks haven't
allowed me the time to get back to it.

See below for my advise in the meantime...

> Thanks for the reference.
> Together with the COPY bug, Apache 2.2.25 seems pretty unfit for use with
> Subversion.


Unfortunately, we can't recommend that people not use 2.2.25 because it has
relevant security fixes for Subversion.

Applying the patches produced by the following two commands should avoid issues
for Subversion users (though if they are also mod_dav_fs it may revert fixes
for them that don't help Subversion):
svn diff -c -1497121
https://svn.apache.org/repos/asf/httpd/httpd/branches/2.2.x/modules/dav/main/mod_dav.c
svn diff -c -1497441
https://svn.apache.org/repos/asf/httpd/httpd/branches/2.2.x/modules/dav/main/mod_dav.c


2.4.6 users should use the following patches (same caveats apply):
svn diff -c -1485721
https://svn.apache.org/repos/asf/httpd/httpd/branches/2.2.x/modules/dav/main/mod_dav.c
svn diff -c -1486456
https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x/modules/dav/main/mod_dav.c

Re: "Unable to PUT new contents" - problem with Apache 2.2.25

[Roderich Schupp <ro...@gmail.com>]

On Fri, Aug 30, 2013 at 10:49 AM, Julian Foad <ju...@btopenworld.com>wrote:

> Hi Roderich.  Google("Apache 2.2.25 double encoding bug") -> it's a bug in
> httpd 2.2.25: <https://issues.apache.org/bugzilla/show_bug.cgi?id=55397>.
> Ben Reser reported it so hopefully he can tell you any news regarding a
> fix, but downgrading to 2.2.24 for now would appear to be a good
> work-around.
>

Thanks for the reference.
Together with the COPY bug, Apache 2.2.25 seems pretty unfit for use with
Subversion.

Cheers, Roderich

Re: "Unable to PUT new contents" - problem with Apache 2.2.25

[Julian Foad <ju...@btopenworld.com>]

Hi Roderich.  Google("Apache 2.2.25 double encoding bug") -> it's a bug in httpd 2.2.25: <https://issues.apache.org/bugzilla/show_bug.cgi?id=55397>.  Ben Reser reported it so hopefully he can tell you any news regarding a fix, but downgrading to 2.2.24 for now would appear to be a good work-around.

- Julian



Roderich Schupp wrote:
> we recently upgraded our servers to Apache 2.2.25 and Subversion 1.7.11.
> Since then several of our users have problems commiting files with blanks
> somewhere in the pathname. 

[...]

> Note that the URL in the PUT request looks like it has been URL-encoded
> twice ("...%20..." in the CHECKOUT URL got turned into "...%2520...").

[...]

> I downgraded the server to Apache 2.2.24 and the problem went away.
> 
> I traced the actual TCP conversation in one of this cases and the double
> URL encoding seen is caused by the server: it sends the double encoded
> URL in the Location header of its response to the CHECKOUT request.