Showstoppers

[William A Rowe Jr <wr...@rowe-clan.net>]

Hope everyone enjoyed a nice weekend, and a good holiday for those here in
the States!

On 2.4, one significant issue remains unsettled...

  *) mod_alias: Limit Redirect expressions to directory (Location) context
     and redirect statuses (implicit or explicit).
     trunk patch: http://svn.apache.org/r1686853
                  http://svn.apache.org/r1686856
     2.4.x patch: trunk works (modulo CHANGES)
     +1: ylavic, jim

  *) Revert insufficiently thought-out mod_alias new expression feature
        http://svn.apache.org/viewvc?view=revision&revision=1663259
     +1: wrowe, jim
     [Mutually exclusive to multiple RedirectMatch patches proposed above,
     but entirely possible to vote for both or vote against either.
     [docs/manual .xml's require 'build all' regeneration]

Graham, as an original author back in January, you are in the best position
to review this fix for correctness.  Alternately, if someone is already
reviewing that patch and can complete, we can avoid backing out this
enhancement for a next attempt to T&R.  Backing it out is actually as
simple as a veto of the backport, but framed the choice as a vote to be
diplomatic.  I for one would support the backport once again after we've
successfully released a 2.4.next.

On 2.2, one significant issue remains unsettled...

  *) http: follow up to r1686271 (trunk) => r1686271 (2.4.x)
     Handle reentrance of state BODY_CHUNK_CR to avoid AH02901 when we eat
     BWS from multiple reads, and limit number of chunk-BWS to 10.
     trunk patch: http://svn.apache.org/r1688536
                  http://svn.apache.org/r1688538
     2.2.x patch: trunk works
     +1: ylavic, wrowe

This one is a bit simpler to review, and mirrors what is already approved
on 2.4 branch.

I'm hoping to tag and roll 2.2 later this afternoon, and I recall Jim
suggesting he's itching to T&R 2.4 early this week, so just more one pair
of eyeballs could get us to that point.  If you can, my thanks to you in
advance.

Bill

Re: Showstoppers

[William A Rowe Jr <wr...@rowe-clan.net>]

On Jul 8, 2015 6:59 AM, "Yann Ylavic" <yl...@gmail.com> wrote:
>
> However maybe the proposed backport about mod_reqtimeout (PR 56729) is
> worth being included too, but that's not a showstopper.
> It somehow made his way through 2.2.30 already (r1678698) but for
> 2.4.x this partial fix isn't enough (due to EOR handling).
> Would be nice if it could be reviewed on time (my only vote so far...).

Since it is a security related defect (not exploitable, ergo not a
vulnerability) I reviewed the 2.4 patch as well, thanks for pointing out
the discrepancy.

Re: Showstoppers

[Yann Ylavic <yl...@gmail.com>]

On Wed, Jul 8, 2015 at 2:16 AM, William A Rowe Jr <wr...@rowe-clan.net> wrote:
> 2.4 still needs one reviewer to make the decision so we can have a 2.4, at
> last.

I voted the revert, applied accepted backports, and updated tests
framework accordingly.
I guess both 2.4.16 and 2.2.30 could be T&R now.

However maybe the proposed backport about mod_reqtimeout (PR 56729) is
worth being included too, but that's not a showstopper.
It somehow made his way through 2.2.30 already (r1678698) but for
2.4.x this partial fix isn't enough (due to EOR handling).
Would be nice if it could be reviewed on time (my only vote so far...).

Re: Showstoppers

[William A Rowe Jr <wr...@rowe-clan.net>]

2.4 still needs one reviewer to make the decision so we can have a 2.4, at
last.

Thanks to Mike for the review on the 2.2 showstopper, jumping ahead on
tarballs for 2.2.30 in the morning.

On Mon, Jul 6, 2015 at 10:38 AM, William A Rowe Jr <wr...@rowe-clan.net>
wrote:

> Hope everyone enjoyed a nice weekend, and a good holiday for those here in
> the States!
>
> On 2.4, one significant issue remains unsettled...
>
>   *) mod_alias: Limit Redirect expressions to directory (Location) context
>      and redirect statuses (implicit or explicit).
>      trunk patch: http://svn.apache.org/r1686853
>                   http://svn.apache.org/r1686856
>      2.4.x patch: trunk works (modulo CHANGES)
>      +1: ylavic, jim
>
>   *) Revert insufficiently thought-out mod_alias new expression feature
>         http://svn.apache.org/viewvc?view=revision&revision=1663259
>      +1: wrowe, jim
>      [Mutually exclusive to multiple RedirectMatch patches proposed above,
>      but entirely possible to vote for both or vote against either.
>      [docs/manual .xml's require 'build all' regeneration]
>
> Graham, as an original author back in January, you are in the best
> position to review this fix for correctness.  Alternately, if someone is
> already reviewing that patch and can complete, we can avoid backing out
> this enhancement for a next attempt to T&R.  Backing it out is actually as
> simple as a veto of the backport, but framed the choice as a vote to be
> diplomatic.  I for one would support the backport once again after we've
> successfully released a 2.4.next.
>
> On 2.2, one significant issue remains unsettled...
>
>   *) http: follow up to r1686271 (trunk) => r1686271 (2.4.x)
>      Handle reentrance of state BODY_CHUNK_CR to avoid AH02901 when we eat
>      BWS from multiple reads, and limit number of chunk-BWS to 10.
>      trunk patch: http://svn.apache.org/r1688536
>                   http://svn.apache.org/r1688538
>      2.2.x patch: trunk works
>      +1: ylavic, wrowe
>
> This one is a bit simpler to review, and mirrors what is already approved
> on 2.4 branch.
>
> I'm hoping to tag and roll 2.2 later this afternoon, and I recall Jim
> suggesting he's itching to T&R 2.4 early this week, so just more one pair
> of eyeballs could get us to that point.  If you can, my thanks to you in
> advance.
>
> Bill
>
>
>