You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@subversion.apache.org by sv...@apache.org on 2022/03/29 04:00:37 UTC

svn commit: r1899331 - in /subversion/branches/1.10.x: ./ STATUS subversion/tests/cmdline/davautocheck.sh subversion/tests/cmdline/mod_authz_svn_tests.py

Author: svn-role
Date: Tue Mar 29 04:00:37 2022
New Revision: 1899331

URL: http://svn.apache.org/viewvc?rev=1899331&view=rev
Log:
Merge the r1883838 group from trunk:

 * r1883838, r1883989, r1886460, r1886582, r1892121
   Add test coverage for CVE-2020-17525 (mod_authz_svn NULL deref)
   Votes:
     +1: stsp, markphip, dsahlberg

Modified:
    subversion/branches/1.10.x/   (props changed)
    subversion/branches/1.10.x/STATUS
    subversion/branches/1.10.x/subversion/tests/cmdline/davautocheck.sh
    subversion/branches/1.10.x/subversion/tests/cmdline/mod_authz_svn_tests.py

Propchange: subversion/branches/1.10.x/
------------------------------------------------------------------------------
  Merged /subversion/trunk:r1883838,1883989,1886460,1886582,1892121

Modified: subversion/branches/1.10.x/STATUS
URL: http://svn.apache.org/viewvc/subversion/branches/1.10.x/STATUS?rev=1899331&r1=1899330&r2=1899331&view=diff
==============================================================================
--- subversion/branches/1.10.x/STATUS (original)
+++ subversion/branches/1.10.x/STATUS Tue Mar 29 04:00:37 2022
@@ -31,11 +31,6 @@ Veto-blocked changes:
 Approved changes:
 =================
 
- * r1883838, r1883989, r1886460, r1886582, r1892121
-   Add test coverage for CVE-2020-17525 (mod_authz_svn NULL deref)
-   Votes:
-     +1: stsp, markphip, dsahlberg
-
  * r1894734
    Fix issue #4880, "Use-after-free of object-pools when running in httpd"
    Justification:

Modified: subversion/branches/1.10.x/subversion/tests/cmdline/davautocheck.sh
URL: http://svn.apache.org/viewvc/subversion/branches/1.10.x/subversion/tests/cmdline/davautocheck.sh?rev=1899331&r1=1899330&r2=1899331&view=diff
==============================================================================
--- subversion/branches/1.10.x/subversion/tests/cmdline/davautocheck.sh (original)
+++ subversion/branches/1.10.x/subversion/tests/cmdline/davautocheck.sh Tue Mar 29 04:00:37 2022
@@ -527,10 +527,9 @@ CustomLog           "$HTTPD_ROOT/ops" "%
 
 <Location /svn-test-work/repositories>
 __EOF__
-location_common() {
+location_common_without_authz() {
 cat >> "$HTTPD_CFG" <<__EOF__
   DAV               svn
-  AuthzSVNAccessFile "$ABS_BUILDDIR/subversion/tests/cmdline/svn-test-work/authz"
   AuthType          Basic
   AuthName          "Subversion Repository"
   AuthUserFile      $HTTPD_USERS
@@ -540,6 +539,12 @@ cat >> "$HTTPD_CFG" <<__EOF__
   SVNBlockRead      ${BLOCK_READ_SETTING}
 __EOF__
 }
+location_common() {
+location_common_without_authz
+cat >> "$HTTPD_CFG" <<__EOF__
+  AuthzSVNAccessFile "$ABS_BUILDDIR/subversion/tests/cmdline/svn-test-work/authz"
+__EOF__
+}
 location_common
 cat >> "$HTTPD_CFG" <<__EOF__
   SVNParentPath     "$ABS_BUILDDIR/subversion/tests/cmdline/svn-test-work/repositories"
@@ -582,6 +587,15 @@ cat >> "$HTTPD_CFG" <<__EOF__
   </IfModule>
   ${SVN_PATH_AUTHZ_LINE}
 </Location>
+<Location /authz-test-work/in-repos-authz>
+__EOF__
+location_common_without_authz
+cat >> "$HTTPD_CFG" <<__EOF__
+  SVNParentPath     "$ABS_BUILDDIR/subversion/tests/cmdline/svn-test-work/repositories"
+  Require           valid-user
+  Satisfy Any
+  AuthzSVNReposRelativeAccessFile "^/authz"
+</Location>
 <Location /authz-test-work/mixed>
 __EOF__
 location_common

Modified: subversion/branches/1.10.x/subversion/tests/cmdline/mod_authz_svn_tests.py
URL: http://svn.apache.org/viewvc/subversion/branches/1.10.x/subversion/tests/cmdline/mod_authz_svn_tests.py?rev=1899331&r1=1899330&r2=1899331&view=diff
==============================================================================
--- subversion/branches/1.10.x/subversion/tests/cmdline/mod_authz_svn_tests.py (original)
+++ subversion/branches/1.10.x/subversion/tests/cmdline/mod_authz_svn_tests.py Tue Mar 29 04:00:37 2022
@@ -25,7 +25,7 @@
 ######################################################################
 
 # General modules
-import os, re, logging
+import os, re, logging, shutil
 
 logger = logging.getLogger()
 
@@ -1043,6 +1043,73 @@ def authn_sallrall(sbox):
   verify_gets(test_area_url, sallrall_tests)
 
 
+@SkipUnless(svntest.main.is_ra_type_dav)
+def repos_relative_access_file(sbox):
+  "repos-relative access file"
+
+  sbox.build()
+
+  test_area_url = sbox.repo_url.replace('/svn-test-work/repositories/',
+                                        '/authz-test-work/in-repos-authz/')
+
+  svntest.main.write_authz_file(sbox, {"/": "", "/A": "%s = rw" % user1})
+  shutil.move(sbox.authz_file, os.path.join(sbox.wc_dir, 'authz'))
+  sbox.simple_add('authz')
+  svntest.actions.run_and_verify_svn(None, [], 'relocate',
+      sbox.file_protocol_repo_url(), sbox.wc_dir)
+  sbox.simple_commit(message="adding in-repository authz rules file")
+
+  in_repos_authz_tests = (
+                 { 'path': '', 'status': 401, },
+                 { 'path': '/authz', 'status': 401, },
+                 { 'path': '/authz', 'user' : user1, 'pw' : user1_pass,
+                   'status': 403, },
+                 { 'path': '/A', 'user' : user1, 'pw' : user1_pass,
+                   'status': 301, },
+                 { 'path': '/A/', 'user' : user1, 'pw' : user1_pass,
+                   'status': 200, },
+  )
+
+  verify_gets(test_area_url, in_repos_authz_tests)
+
+# test for the bug also known as CVE-2020-17525
+@SkipUnless(svntest.main.is_ra_type_dav)
+def nonexistent_repos_relative_access_file(sbox):
+  "repos-relative access file with bad repository URL"
+
+  sbox.build()
+
+  test_area_url = sbox.repo_url.replace('/svn-test-work/repositories/',
+                                        '/authz-test-work/in-repos-authz/')
+
+  # Construct a bad test-area URL to see what happens if we attempt to access
+  # a repository in a subdirectory which does not exist in SVNParentPath.
+  # This used to crash the server with a NULL-pointer dereference upon
+  # unauthenticated access.
+  test_area_url += '-this/does/not/exist'
+
+  svntest.main.write_authz_file(sbox, {"/": "", "/A": "%s = rw" % user1})
+  shutil.move(sbox.authz_file, os.path.join(sbox.wc_dir, 'authz'))
+  sbox.simple_add('authz')
+  svntest.actions.run_and_verify_svn(None, [], 'relocate',
+      sbox.file_protocol_repo_url(), sbox.wc_dir)
+  sbox.simple_commit(message="adding in-repository authz rules file")
+
+  # access is denied across the board since this repository does not exist
+  in_repos_authz_tests = (
+                 { 'path': '', 'status': 401, },
+                 { 'path': '/authz', 'status': 401, },
+                 { 'path': '/authz', 'user' : user1, 'pw' : user1_pass,
+                   'status': 403, },
+                 { 'path': '/A', 'user' : user1, 'pw' : user1_pass,
+                   'status': 403, },
+                 { 'path': '/A/', 'user' : user1, 'pw' : user1_pass,
+                   'status': 403, },
+  )
+
+  verify_gets(test_area_url, in_repos_authz_tests)
+
+
 ########################################################################
 # Run the tests
 
@@ -1058,6 +1125,8 @@ test_list = [ None,
               authn_group,
               authn_sallrany,
               authn_sallrall,
+              repos_relative_access_file,
+              nonexistent_repos_relative_access_file,
              ]
 serial_only = True