You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@httpd.apache.org by Yann Ylavic <yl...@gmail.com> on 2015/05/12 10:41:50 UTC

Fwd: [users@httpd] mod_authz_dbd regression in apache 2.4.12?

This as been raised on users@.

---------- Forwarded message ----------
From: Yann Ylavic <yl...@gmail.com>
Date: Tue, May 12, 2015 at 10:09 AM

On Mon, May 11, 2015 at 10:54 PM, Michel Stam <mi...@reverze.net> wrote:
>
> I was tinkering over the weekend with mod_authz_dbd and mysql, and i could not get a RequireAny/RequireAll to match on multiple Require dbd-group statements. It would always match only the last result from the query, but once for every row in the resultset.
>
> Example:
>         <LocationMatch "/(?<name>[^/]+)/">
>                 <RequireAny>
>                         Require         user %{env:MATCH_NAME}
>                         Require         dbd-group %{env:MATCH_NAME}
>                         Require         dbd-group Administrators
>                 </RequireAny>
>         </LocationMatch>
>
> After some searching, it appeared to me to be a regression of this:
> https://bz.apache.org/bugzilla/show_bug.cgi?id=46421

The fix mentioned there is about APR's dbd (mysql) code but has never
been pushed to a release (the bugzilla report is still open).
As already discussed in [1] (with a simililar fix for mod_authn_dbd in
[2]), I don't think it should be addressed in APR though (but in httpd
as you and the OP of bugzilla #46421 proposed).

There also seems to be other misuses of apr_dbd_get_entry() returned
values in httpd, I'll start a thread on the dev@ mailing-list and
propose a fix.

[1] http://www.mail-archive.com/dev@apr.apache.org/msg26024.html
[2] http://svn.apache.org/r1663647

---------- End of forwarded message ----------

The issue is that apr_dbd_get_row()'s entries (usually pointed to by
apr_dbd_get_entry(), depending on dbd though) get destroyed whenever
apr_dbd_get_row() returns -1 (no more rows in iterative mode).

This seem to be the case for several dbd systems implemented in APR,
so I think we should take care of the entries' lifetime when used
after an apr_dbd_get_row() loop.
Thus, I think the attached patch should be applied, thoughts?

PS: there are also APR dbd systems where the entries are duplicated on
the apr_dbd_results' pool, so APR is not really consistent...

Re: [users@httpd] mod_authz_dbd regression in apache 2.4.12?

Posted by Yann Ylavic <yl...@gmail.com>.

Committed in http://svn.apache.org/r1679181 (and r1679182 for CHANGES entry).
Backport to 2.4.x proposed in r1679183 (including Jan's r1663647).

On Tue, May 12, 2015 at 1:46 PM, Yann Ylavic <yl...@gmail.com> wrote:
> (CC'ing Michel, sorry for the resend, my initial omission)
>
> On Tue, May 12, 2015 at 10:41 AM, Yann Ylavic <yl...@gmail.com> wrote:
>> This as been raised on users@.
>>
>> ---------- Forwarded message ----------
>> From: Yann Ylavic <yl...@gmail.com>
>> Date: Tue, May 12, 2015 at 10:09 AM
>>
>> On Mon, May 11, 2015 at 10:54 PM, Michel Stam <mi...@reverze.net> wrote:
>>>
>>> I was tinkering over the weekend with mod_authz_dbd and mysql, and i could not get a RequireAny/RequireAll to match on multiple Require dbd-group statements.
>>> It would always match only the last result from the query, but once for every row in the resultset.
>>>
>>> Example:
>>>         <LocationMatch "/(?<name>[^/]+)/">
>>>                 <RequireAny>
>>>                         Require         user %{env:MATCH_NAME}
>>>                         Require         dbd-group %{env:MATCH_NAME}
>>>                         Require         dbd-group Administrators
>>>                 </RequireAny>
>>>         </LocationMatch>
>>>
>>> After some searching, it appeared to me to be a regression of this:
>>> https://bz.apache.org/bugzilla/show_bug.cgi?id=46421
>>
>> The fix mentioned there is about APR's dbd (mysql) code but has never
>> been pushed to a release (the bugzilla report is still open).
>> As already discussed in [1] (with a simililar fix for mod_authn_dbd in
>> [2]), I don't think it should be addressed in APR though (but in httpd
>> as you and the OP of bugzilla #46421 proposed).
>>
>> There also seems to be other misuses of apr_dbd_get_entry() returned
>> values in httpd, I'll start a thread on the dev@ mailing-list and
>> propose a fix.
>>
>> [1] http://www.mail-archive.com/dev@apr.apache.org/msg26024.html
>> [2] http://svn.apache.org/r1663647
>>
>> ---------- End of forwarded message ----------
>>
>> The issue is that apr_dbd_get_row()'s entries (usually pointed to by
>> apr_dbd_get_entry(), depending on dbd though) get destroyed whenever
>> apr_dbd_get_row() returns -1 (no more rows in iterative mode).
>>
>> This seem to be the case for several dbd systems implemented in APR,
>> so I think we should take care of the entries' lifetime when used
>> after an apr_dbd_get_row() loop.
>> Thus, I think the attached patch should be applied, thoughts?
>>
>> PS: there are also APR dbd systems where the entries are duplicated on
>> the apr_dbd_results' pool, so APR is not really consistent...

Re: [users@httpd] mod_authz_dbd regression in apache 2.4.12?

Posted by Yann Ylavic <yl...@gmail.com>.

(CC'ing Michel, sorry for the resend, my initial omission)

On Tue, May 12, 2015 at 10:41 AM, Yann Ylavic <yl...@gmail.com> wrote:
> This as been raised on users@.
>
> ---------- Forwarded message ----------
> From: Yann Ylavic <yl...@gmail.com>
> Date: Tue, May 12, 2015 at 10:09 AM
>
> On Mon, May 11, 2015 at 10:54 PM, Michel Stam <mi...@reverze.net> wrote:
>>
>> I was tinkering over the weekend with mod_authz_dbd and mysql, and i could not get a RequireAny/RequireAll to match on multiple Require dbd-group statements.
>> It would always match only the last result from the query, but once for every row in the resultset.
>>
>> Example:
>>         <LocationMatch "/(?<name>[^/]+)/">
>>                 <RequireAny>
>>                         Require         user %{env:MATCH_NAME}
>>                         Require         dbd-group %{env:MATCH_NAME}
>>                         Require         dbd-group Administrators
>>                 </RequireAny>
>>         </LocationMatch>
>>
>> After some searching, it appeared to me to be a regression of this:
>> https://bz.apache.org/bugzilla/show_bug.cgi?id=46421
>
> The fix mentioned there is about APR's dbd (mysql) code but has never
> been pushed to a release (the bugzilla report is still open).
> As already discussed in [1] (with a simililar fix for mod_authn_dbd in
> [2]), I don't think it should be addressed in APR though (but in httpd
> as you and the OP of bugzilla #46421 proposed).
>
> There also seems to be other misuses of apr_dbd_get_entry() returned
> values in httpd, I'll start a thread on the dev@ mailing-list and
> propose a fix.
>
> [1] http://www.mail-archive.com/dev@apr.apache.org/msg26024.html
> [2] http://svn.apache.org/r1663647
>
> ---------- End of forwarded message ----------
>
> The issue is that apr_dbd_get_row()'s entries (usually pointed to by
> apr_dbd_get_entry(), depending on dbd though) get destroyed whenever
> apr_dbd_get_row() returns -1 (no more rows in iterative mode).
>
> This seem to be the case for several dbd systems implemented in APR,
> so I think we should take care of the entries' lifetime when used
> after an apr_dbd_get_row() loop.
> Thus, I think the attached patch should be applied, thoughts?
>
> PS: there are also APR dbd systems where the entries are duplicated on
> the apr_dbd_results' pool, so APR is not really consistent...