You are viewing a plain text version of this content. The canonical link for it is here.

Posted to cvs@httpd.apache.org by jo...@apache.org on 2019/04/02 10:44:12 UTC

svn commit: r1856807 - /httpd/test/framework/trunk/t/security/CVE-2019-0215.t

Author: jorton
Date: Tue Apr  2 10:44:12 2019
New Revision: 1856807

URL: http://svn.apache.org/viewvc?rev=1856807&view=rev
Log:
Add test case for CVE-2019-0215.

Added:
    httpd/test/framework/trunk/t/security/CVE-2019-0215.t

Added: httpd/test/framework/trunk/t/security/CVE-2019-0215.t
URL: http://svn.apache.org/viewvc/httpd/test/framework/trunk/t/security/CVE-2019-0215.t?rev=1856807&view=auto
==============================================================================
--- httpd/test/framework/trunk/t/security/CVE-2019-0215.t (added)
+++ httpd/test/framework/trunk/t/security/CVE-2019-0215.t Tue Apr  2 10:44:12 2019
@@ -0,0 +1,26 @@
+use strict;
+use warnings FATAL => 'all';
+
+use Apache::Test;
+use Apache::TestUtil;
+use Apache::TestRequest;
+
+my $vars = Apache::Test::vars();
+
+plan tests => 2, need $vars->{ssl_module_name}, need_lwp,
+    qw(LWP::Protocol::https);
+
+Apache::TestRequest::user_agent_keepalive(1);
+Apache::TestRequest::scheme('https');
+Apache::TestRequest::module('ssl_optional_cc');
+
+my $r;
+
+$r = GET "/require/any/";
+
+ok t_cmp($r->code, 403, "first access denied without ccert");
+
+$r = GET "/require/any/";
+
+ok t_cmp($r->code, 403, "second access denied without ccert");
+

Re: svn commit: r1856807 - /httpd/test/framework/trunk/t/security/CVE-2019-0215.t

Posted by Rainer Jung <ra...@kippdata.de>.

Am 04.08.2019 um 23:14 schrieb Daniel Ruggeri:
> 
> On 8/4/2019 3:30 AM, Rainer Jung wrote:
>> Hi there,
>>
>> this one fails for me when the server uses OpenSSL 1.1.1 (no other
>> variant tested yet) but the client uses something before 1.1.1. In
>> this case I get Status 500 instead of the expected 403 in the client.
>>
>> Another older test t/security/CVE-2005-2700.t uses
>>
>> ok !t_cmp($r->code, 200, "...
>>
>> instead of
>>
>> ok t_cmp($r->code, 403, "...
>>
>> used in the new test. Do others observe the same problem? Should we
>> relax the condition on 403 or 500, or is it necessary to only relax if
>> client isn't using 1.1.1 (or maybe depending on effective TLS version)?
> 
> I also see the same problem. The 500 must be coming from the LWP client
> rather than httpd, though, as httpd does log the 403. I would prefer to
> skip the test for non-compatible clients rather than for the internal
> client error to be treated as a "pass" of a test it cannot run.

As an intermediate solution I added a request to check, whether TLS 1.3 
works and depending on that switch the expectation to status 403 or 500. 
See r1864463.

I am undecided, whether skipping or allowing 500 is better for the non 
TLS 1.3 case. More opinion? Joe (original author)?

Regards,

Rainer

Re: svn commit: r1856807 - /httpd/test/framework/trunk/t/security/CVE-2019-0215.t

Posted by Daniel Ruggeri <dr...@apache.org>.

On 8/4/2019 3:30 AM, Rainer Jung wrote:
> Hi there,
>
> this one fails for me when the server uses OpenSSL 1.1.1 (no other
> variant tested yet) but the client uses something before 1.1.1. In
> this case I get Status 500 instead of the expected 403 in the client.
>
> Another older test t/security/CVE-2005-2700.t uses
>
> ok !t_cmp($r->code, 200, "...
>
> instead of
>
> ok t_cmp($r->code, 403, "...
>
> used in the new test. Do others observe the same problem? Should we
> relax the condition on 403 or 500, or is it necessary to only relax if
> client isn't using 1.1.1 (or maybe depending on effective TLS version)?

I also see the same problem. The 500 must be coming from the LWP client
rather than httpd, though, as httpd does log the 403. I would prefer to
skip the test for non-compatible clients rather than for the internal
client error to be treated as a "pass" of a test it cannot run.

-- 
Daniel Ruggeri

>
> Regards,
>
> Rainer
>
> Am 02.04.2019 um 12:44 schrieb jorton@apache.org:
>> Author: jorton
>> Date: Tue Apr  2 10:44:12 2019
>> New Revision: 1856807
>>
>> URL: http://svn.apache.org/viewvc?rev=1856807&view=rev
>> Log:
>> Add test case for CVE-2019-0215.
>>
>> Added:
>>      httpd/test/framework/trunk/t/security/CVE-2019-0215.t
>>
>> Added: httpd/test/framework/trunk/t/security/CVE-2019-0215.t
>> URL:
>> http://svn.apache.org/viewvc/httpd/test/framework/trunk/t/security/CVE-2019-0215.t?rev=1856807&view=auto
>> ==============================================================================
>>
>> --- httpd/test/framework/trunk/t/security/CVE-2019-0215.t (added)
>> +++ httpd/test/framework/trunk/t/security/CVE-2019-0215.t Tue Apr  2
>> 10:44:12 2019
>> @@ -0,0 +1,26 @@
>> +use strict;
>> +use warnings FATAL => 'all';
>> +
>> +use Apache::Test;
>> +use Apache::TestUtil;
>> +use Apache::TestRequest;
>> +
>> +my $vars = Apache::Test::vars();
>> +
>> +plan tests => 2, need $vars->{ssl_module_name}, need_lwp,
>> +    qw(LWP::Protocol::https);
>> +
>> +Apache::TestRequest::user_agent_keepalive(1);
>> +Apache::TestRequest::scheme('https');
>> +Apache::TestRequest::module('ssl_optional_cc');
>> +
>> +my $r;
>> +
>> +$r = GET "/require/any/";
>> +
>> +ok t_cmp($r->code, 403, "first access denied without ccert");
>> +
>> +$r = GET "/require/any/";
>> +
>> +ok t_cmp($r->code, 403, "second access denied without ccert");
>> +

Re: svn commit: r1856807 - /httpd/test/framework/trunk/t/security/CVE-2019-0215.t

Posted by Rainer Jung <ra...@kippdata.de>.

Hi there,

this one fails for me when the server uses OpenSSL 1.1.1 (no other 
variant tested yet) but the client uses something before 1.1.1. In this 
case I get Status 500 instead of the expected 403 in the client.

Another older test t/security/CVE-2005-2700.t uses

ok !t_cmp($r->code, 200, "...

instead of

ok t_cmp($r->code, 403, "...

used in the new test. Do others observe the same problem? Should we 
relax the condition on 403 or 500, or is it necessary to only relax if 
client isn't using 1.1.1 (or maybe depending on effective TLS version)?

Regards,

Rainer

Am 02.04.2019 um 12:44 schrieb jorton@apache.org:
> Author: jorton
> Date: Tue Apr  2 10:44:12 2019
> New Revision: 1856807
> 
> URL: http://svn.apache.org/viewvc?rev=1856807&view=rev
> Log:
> Add test case for CVE-2019-0215.
> 
> Added:
>      httpd/test/framework/trunk/t/security/CVE-2019-0215.t
> 
> Added: httpd/test/framework/trunk/t/security/CVE-2019-0215.t
> URL: http://svn.apache.org/viewvc/httpd/test/framework/trunk/t/security/CVE-2019-0215.t?rev=1856807&view=auto
> ==============================================================================
> --- httpd/test/framework/trunk/t/security/CVE-2019-0215.t (added)
> +++ httpd/test/framework/trunk/t/security/CVE-2019-0215.t Tue Apr  2 10:44:12 2019
> @@ -0,0 +1,26 @@
> +use strict;
> +use warnings FATAL => 'all';
> +
> +use Apache::Test;
> +use Apache::TestUtil;
> +use Apache::TestRequest;
> +
> +my $vars = Apache::Test::vars();
> +
> +plan tests => 2, need $vars->{ssl_module_name}, need_lwp,
> +    qw(LWP::Protocol::https);
> +
> +Apache::TestRequest::user_agent_keepalive(1);
> +Apache::TestRequest::scheme('https');
> +Apache::TestRequest::module('ssl_optional_cc');
> +
> +my $r;
> +
> +$r = GET "/require/any/";
> +
> +ok t_cmp($r->code, 403, "first access denied without ccert");
> +
> +$r = GET "/require/any/";
> +
> +ok t_cmp($r->code, 403, "second access denied without ccert");
> +