You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@subversion.apache.org by sv...@apache.org on 2015/08/27 06:00:23 UTC
svn commit: r1698052 - in /subversion/branches/1.9.x: ./ STATUS
build/ac-macros/apache.m4 subversion/mod_authz_svn/mod_authz_svn.c
Author: svn-role
Date: Thu Aug 27 04:00:23 2015
New Revision: 1698052
URL: http://svn.apache.org/r1698052
Log:
Merge the r1687304 group from trunk:
* r1687304,1687389,1693135,1693138,1693159,1695600,1695606,1695681
Better configure detection of httpd version and auth fix.
Justification:
Build out-of-the box on more platforms.
Votes:
+1: philip, stefan2, brane
Modified:
subversion/branches/1.9.x/ (props changed)
subversion/branches/1.9.x/STATUS
subversion/branches/1.9.x/build/ac-macros/apache.m4
subversion/branches/1.9.x/subversion/mod_authz_svn/mod_authz_svn.c
Propchange: subversion/branches/1.9.x/
------------------------------------------------------------------------------
--- svn:mergeinfo (original)
+++ svn:mergeinfo Thu Aug 27 04:00:23 2015
@@ -93,4 +93,4 @@
/subversion/branches/verify-at-commit:1462039-1462408
/subversion/branches/verify-keep-going:1439280-1546110
/subversion/branches/wc-collate-path:1402685-1480384
-/subversion/trunk:1660545-1660547,1660549-1662901,1663003,1663183-1663184,1663338,1663347,1663355,1663374,1663450,1663530,1663671,1663697,1663706,1663738,1663749,1663791,1663991,1664035,1664078,1664080,1664084-1664085,1664187,1664191,1664193,1664200,1664344,1664476,1664480-1664481,1664483,1664489-1664490,1664507,1664520-1664521,1664523,1664526-1664527,1664531-1664532,1664588,1664593-1664594,1664596,1664653,1664664,1664672,1664674,1664684,1664927,1664938-1664940,1664978,1664984,1664997,1665164,1665195,1665213,1665259,1665318,1665437-1665438,1665609,1665611-1665612,1665845,1665850,1665852,1665886,1665894,1665896,1666096,1666258,1666270,1666272,1666379,1666449,1666690,1666832,1666851,1666965,1667101,1667106-1667107,1667120,1667228,1667233-1667235,1667249-1667250,1667258,1667290,1667301,1667471,1667691-1667693,1667699-1667700,1667715,1667941,1667976,1668320,1668598-1668600,1668602-1668603,1668607-1668608,1668618,1669743,1669746,1669749,1669945,1670139,1670149,1670152,1670329,1670337,167
0347,1670353,1671164,1671388,1672295,1672311,1672372,1672404,1672511-1672512,1672578,1672728,1673044,1673062-1673063,1673065,1673153,1673170,1673172,1673197,1673202,1673204,1673228,1673282,1673445,1673691-1673692,1673746,1673785,1673803,1674015,1674032,1674170,1674301,1674305,1674308,1674339-1674340,1674406,1674415,1674455-1674456,1674475,1674487,1674522,1674580,1674626-1674627,1674785,1674891,1675771,1675774,1676526,1676535,1676538,1676555,1676564,1676570,1676665,1676667,1676769,1677003,1677191,1677267,1677440,1678147,1678149,1678494,1678571,1678734,1678742,1678745-1678746,1678839,1678846,1678894,1678950,1678963,1679166,1679169,1679228,1679230,1679287,1679864,1679866,1679909,1680242,1680264,1680495,1680705,1680819,1681317,1682714,1682854,1683071,1683126,1683135,1683290,1683303,1683311,1683378,1683387,1684034,1684077,1684322,1684325,1684344,1684412,1684940,1685034,1685085,1686175,1686239,1686478,1686541,1686543,1686554,1686557,1686802,1686888,1686984,1687029,1687769,1687776,1688258,
1688273,1688395,1689214,1689216,1689721,1689729,1691712-1691713,1691924,1691928,1692091,1692093,1692098,1692448,1692469-1692470,1692798-1692799,1693886,1694023,1694929,1696222,1696225,1696387,1696695,1697664
+/subversion/trunk:1660545-1660547,1660549-1662901,1663003,1663183-1663184,1663338,1663347,1663355,1663374,1663450,1663530,1663671,1663697,1663706,1663738,1663749,1663791,1663991,1664035,1664078,1664080,1664084-1664085,1664187,1664191,1664193,1664200,1664344,1664476,1664480-1664481,1664483,1664489-1664490,1664507,1664520-1664521,1664523,1664526-1664527,1664531-1664532,1664588,1664593-1664594,1664596,1664653,1664664,1664672,1664674,1664684,1664927,1664938-1664940,1664978,1664984,1664997,1665164,1665195,1665213,1665259,1665318,1665437-1665438,1665609,1665611-1665612,1665845,1665850,1665852,1665886,1665894,1665896,1666096,1666258,1666270,1666272,1666379,1666449,1666690,1666832,1666851,1666965,1667101,1667106-1667107,1667120,1667228,1667233-1667235,1667249-1667250,1667258,1667290,1667301,1667471,1667691-1667693,1667699-1667700,1667715,1667941,1667976,1668320,1668598-1668600,1668602-1668603,1668607-1668608,1668618,1669743,1669746,1669749,1669945,1670139,1670149,1670152,1670329,1670337,167
0347,1670353,1671164,1671388,1672295,1672311,1672372,1672404,1672511-1672512,1672578,1672728,1673044,1673062-1673063,1673065,1673153,1673170,1673172,1673197,1673202,1673204,1673228,1673282,1673445,1673691-1673692,1673746,1673785,1673803,1674015,1674032,1674170,1674301,1674305,1674308,1674339-1674340,1674406,1674415,1674455-1674456,1674475,1674487,1674522,1674580,1674626-1674627,1674785,1674891,1675771,1675774,1676526,1676535,1676538,1676555,1676564,1676570,1676665,1676667,1676769,1677003,1677191,1677267,1677440,1678147,1678149,1678494,1678571,1678734,1678742,1678745-1678746,1678839,1678846,1678894,1678950,1678963,1679166,1679169,1679228,1679230,1679287,1679864,1679866,1679909,1680242,1680264,1680495,1680705,1680819,1681317,1682714,1682854,1683071,1683126,1683135,1683290,1683303,1683311,1683378,1683387,1684034,1684077,1684322,1684325,1684344,1684412,1684940,1685034,1685085,1686175,1686239,1686478,1686541,1686543,1686554,1686557,1686802,1686888,1686984,1687029,1687304,1687389,1687769,
1687776,1688258,1688273,1688395,1689214,1689216,1689721,1689729,1691712-1691713,1691924,1691928,1692091,1692093,1692098,1692448,1692469-1692470,1692798-1692799,1693135,1693138,1693159,1693886,1694023,1694929,1695600,1695606,1695681,1696222,1696225,1696387,1696695,1697664
Modified: subversion/branches/1.9.x/STATUS
URL: http://svn.apache.org/viewvc/subversion/branches/1.9.x/STATUS?rev=1698052&r1=1698051&r2=1698052&view=diff
==============================================================================
--- subversion/branches/1.9.x/STATUS (original)
+++ subversion/branches/1.9.x/STATUS Thu Aug 27 04:00:23 2015
@@ -44,13 +44,6 @@ Veto-blocked changes:
Approved changes:
=================
- * r1687304,1687389,1693135,1693138,1693159,1695600,1695606,1695681
- Better configure detection of httpd version and auth fix.
- Justification:
- Build out-of-the box on more platforms.
- Votes:
- +1: philip, stefan2, brane
-
* r1695022
Fix incomplete membuffer cache initialization.
Justification:
Modified: subversion/branches/1.9.x/build/ac-macros/apache.m4
URL: http://svn.apache.org/viewvc/subversion/branches/1.9.x/build/ac-macros/apache.m4?rev=1698052&r1=1698051&r2=1698052&view=diff
==============================================================================
--- subversion/branches/1.9.x/build/ac-macros/apache.m4 (original)
+++ subversion/branches/1.9.x/build/ac-macros/apache.m4 Thu Aug 27 04:00:23 2015
@@ -89,6 +89,33 @@ else
AC_MSG_RESULT(no)
fi
+# check for some busted versions of mod_dav
+# in particular 2.2.25, 2.4.5, and 2.4.6 had the following bugs which are
+# troublesome for Subversion:
+# PR 55304: https://issues.apache.org/bugzilla/show_bug.cgi?id=55304
+# PR 55306: https://issues.apache.org/bugzilla/show_bug.cgi?id=55306
+# PR 55397: https://issues.apache.org/bugzilla/show_bug.cgi?id=55397
+if test -n "$APXS" && test "$APXS" != "no"; then
+ AC_MSG_CHECKING([mod_dav version])
+ HTTPD_MAJOR=`$SED -ne '/^#define AP_SERVER_MAJORVERSION_NUMBER/p' "$APXS_INCLUDE/ap_release.h" | $SED -e 's/^.*NUMBER *//'`
+ HTTPD_MINOR=`$SED -ne '/^#define AP_SERVER_MINORVERSION_NUMBER/p' "$APXS_INCLUDE/ap_release.h" | $SED -e 's/^.*NUMBER *//'`
+ HTTPD_PATCH=`$SED -ne '/^#define AP_SERVER_PATCHLEVEL_NUMBER/p' "$APXS_INCLUDE/ap_release.h" | $SED -e 's/^.*NUMBER *//'`
+ HTTPD_VERSION="${HTTPD_MAJOR}.${HTTPD_MINOR}.${HTTPD_PATCH}"
+ case "$HTTPD_VERSION" in
+ 2.2.25 | 2.4.[[5-6]])
+ AC_MSG_RESULT([broken])
+ AC_MSG_ERROR([Apache httpd version $HTTPD_VERSION includes a broken mod_dav; use a newer version of httpd])
+ ;;
+ 2.[[0-9]]*.[[0-9]]*)
+ AC_MSG_RESULT([acceptable])
+ ;;
+ *)
+ AC_MSG_RESULT([unrecognised])
+ AC_MSG_ERROR([Apache httpd version $HTTPD_VERSION not recognised])
+ ;;
+ esac
+fi
+
if test -n "$APXS" && test "$APXS" != "no"; then
AC_MSG_CHECKING([whether Apache version is compatible with APR version])
apr_major_version="${apr_version%%.*}"
@@ -106,37 +133,15 @@ if test -n "$APXS" && test "$APXS" != "n
AC_MSG_ERROR([unknown APR version])
;;
esac
- old_CPPFLAGS="$CPPFLAGS"
- CPPFLAGS="$CPPFLAGS $SVN_APR_INCLUDES"
- AC_EGREP_CPP([apache_minor_version= *\"$apache_minor_version_wanted_regex\"],
- [
-#include "$APXS_INCLUDE/ap_release.h"
-apache_minor_version=AP_SERVER_MINORVERSION],
- [AC_MSG_RESULT([yes])],
- [AC_MSG_RESULT([no])
- AC_MSG_ERROR([Apache version incompatible with APR version])])
- CPPFLAGS="$old_CPPFLAGS"
-fi
-
-# check for some busted versions of mod_dav
-# in particular 2.2.25, 2.4.5, and 2.4.6 had the following bugs which are
-# troublesome for Subversion:
-# PR 55304: https://issues.apache.org/bugzilla/show_bug.cgi?id=55304
-# PR 55306: https://issues.apache.org/bugzilla/show_bug.cgi?id=55306
-# PR 55397: https://issues.apache.org/bugzilla/show_bug.cgi?id=55397
-if test -n "$APXS" && test "$APXS" != "no"; then
- AC_MSG_CHECKING([mod_dav version])
- old_CPPFLAGS="$CPPFLAGS"
- CPPFLAGS="$CPPFLAGS $SVN_APR_INCLUDES"
- blacklisted_versions_regex=["\"2\" \"\.\" (\"2\" \"\.\" \"25\"|\"4\" \"\.\" \"[56]\")"]
- AC_EGREP_CPP([apache_version= *$blacklisted_versions_regex],
- [
-#include "$APXS_INCLUDE/ap_release.h"
-apache_version=AP_SERVER_BASEREVISION],
- [AC_MSG_RESULT([broken])
- AC_MSG_ERROR([Apache httpd version includes a broken mod_dav; use a newer version of httpd])],
- [AC_MSG_RESULT([acceptable])])
- CPPFLAGS="$old_CPPFLAGS"
+ case $HTTPD_MINOR in
+ $apache_minor_version_wanted_regex)
+ AC_MSG_RESULT([yes])
+ ;;
+ *)
+ AC_MSG_RESULT([no])
+ AC_MSG_ERROR([Apache version $HTTPD_VERSION incompatible with APR version $apr_version])
+ ;;
+ esac
fi
AC_ARG_WITH(apache-libexecdir,
@@ -159,24 +164,42 @@ if test -n "$APXS" && test "$APXS" != "n
AC_CHECK_HEADERS(unistd.h, [AC_CHECK_FUNCS(getpid)], [])
+ MMN_MAJOR=`$SED -ne '/^#define MODULE_MAGIC_NUMBER_MAJOR/p' "$APXS_INCLUDE/ap_mmn.h" | $SED -e 's/^.*MAJOR *//'`
+ MMN_MINOR=`$SED -ne '/^#define MODULE_MAGIC_NUMBER_MINOR/p' "$APXS_INCLUDE/ap_mmn.h" | $SED -e 's/^.*MINOR *//' | $SED -e 's/ .*//'`
+ if test "$MMN_MAJOR" = "20120211" && test "$MMN_MINOR" -lt "47" ; then
+ # This is httpd 2.4 and it doesn't appear to have the required
+ # API but the installation may have been patched.
+ AC_ARG_ENABLE(broken-httpd-auth,
+ AS_HELP_STRING([--enable-broken-httpd-auth],
+ [Force build against httpd 2.4 with broken auth]),
+ [broken_httpd_auth=$enableval],[broken_httpd_auth=no])
+ AC_MSG_CHECKING([for ap_some_authn_required])
+ old_CPPFLAGS="$CPPFLAGS"
+ CPPFLAGS="$CPPFLAGS $APACHE_INCLUDES $SVN_APR_INCLUDES"
+ AC_EGREP_CPP([int.*\sap_some_authn_required\s*\(],
+ [#include "http_request.h"],
+ [AC_MSG_RESULT([yes])
+ working_auth=yes],
+ [AC_MSG_RESULT([no])])
+ CPPFLAGS="$old_CPPFLAGS"
+ if test "$working_auth" = "yes" ; then
+ AC_DEFINE(SVN_USE_FORCE_AUTHN, 1,
+ [Defined to build with patched httpd 2.4 and working auth])
+ elif test "$enable_broken_httpd_auth" = "yes"; then
+ AC_MSG_WARN([==============================================])
+ AC_MSG_WARN([Apache httpd $HTTPD_VERSION MMN $MMN_MAJOR.$MMN_MINOR])
+ AC_MSG_WARN([Subversion will be vulnerable to CVE-2015-3184])
+ AC_MSG_WARN([==============================================])
+ AC_DEFINE(SVN_ALLOW_BROKEN_HTTPD_AUTH, 1,
+ [Defined to build against httpd 2.4 with broken auth])
+ else
+ AC_MSG_ERROR([Apache httpd $HTTPD_VERSION MMN $MMN_MAJOR.$MMN_MINOR has broken auth (CVE-2015-3184)])
+ fi
+ fi
+
BUILD_APACHE_RULE=apache-mod
INSTALL_APACHE_RULE=install-mods-shared
INSTALL_APACHE_MODS=true
- HTTPD="`$APXS -q sbindir`/`$APXS -q PROGNAME`"
- if ! test -e $HTTPD ; then
- HTTPD="`$APXS -q bindir`/`$APXS -q PROGNAME`"
- fi
- HTTPD_VERSION=["`$HTTPD -v | $SED -e 's@^.*/\([0-9.]*\)\(.*$\)@\1@ ; 1q'`"]
- AC_ARG_ENABLE(broken-httpd-auth,
- AS_HELP_STRING([--enable-broken-httpd-auth],
- [Allow building against httpd 2.4 with broken auth]),
- [broken_httpd_auth=$enableval],[broken_httpd_auth=no])
- if test "$enable_broken_httpd_auth" = "yes"; then
- AC_MSG_NOTICE([Building with broken httpd auth])
- AC_DEFINE(SVN_ALLOW_BROKEN_HTTPD_AUTH, 1,
- [Defined to allow building against httpd 2.4 with broken auth])
- fi
-
case $host in
*-*-cygwin*)
APACHE_LDFLAGS="-shrext .so"
Modified: subversion/branches/1.9.x/subversion/mod_authz_svn/mod_authz_svn.c
URL: http://svn.apache.org/viewvc/subversion/branches/1.9.x/subversion/mod_authz_svn/mod_authz_svn.c?rev=1698052&r1=1698051&r2=1698052&view=diff
==============================================================================
--- subversion/branches/1.9.x/subversion/mod_authz_svn/mod_authz_svn.c (original)
+++ subversion/branches/1.9.x/subversion/mod_authz_svn/mod_authz_svn.c Thu Aug 27 04:00:23 2015
@@ -84,20 +84,18 @@ typedef struct authz_svn_config_rec {
const char *force_username_case;
} authz_svn_config_rec;
-#if AP_MODULE_MAGIC_AT_LEAST(20060110,0) /* version where
- ap_some_auth_required breaks */
-# if AP_MODULE_MAGIC_AT_LEAST(20120211,47) /* first version with
- force_authn hook and
- ap_some_authn_required() which
- allows us to work without
- ap_some_auth_required() */
+/* version where ap_some_auth_required breaks */
+#if AP_MODULE_MAGIC_AT_LEAST(20060110,0)
+/* first version with force_authn hook and ap_some_authn_required()
+ which allows us to work without ap_some_auth_required() */
+# if AP_MODULE_MAGIC_AT_LEAST(20120211,47) || defined(SVN_USE_FORCE_AUTHN)
# define USE_FORCE_AUTHN 1
# define IN_SOME_AUTHN_NOTE "authz_svn-in-some-authn"
# define FORCE_AUTHN_NOTE "authz_svn-force-authn"
# else
/* ap_some_auth_required() is busted and no viable alternative exists */
# ifndef SVN_ALLOW_BROKEN_HTTPD_AUTH
-# error This version of httpd has a security hole with mod_authz_svn
+# error This Apache httpd has broken auth (CVE-2015-3184)
# else
/* user wants to build anyway */
# define USE_FORCE_AUTHN 0