You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@subversion.apache.org by iv...@apache.org on 2012/09/20 12:18:39 UTC
svn commit: r1387943 -
/subversion/trunk/subversion/mod_authz_svn/mod_authz_svn.c
Author: ivan
Date: Thu Sep 20 10:18:39 2012
New Revision: 1387943
URL: http://svn.apache.org/viewvc?rev=1387943&view=rev
Log:
Fix unbounded memory usage in mod_authz_svn with short_circuit enabled.
Found by: Roderich Schupp <ro...@gmail.com>
* subversion/mod_authz_svn/mod_authz_svn.c
(): Include svn_pools.h.
(get_access_conf, get_username_to_authorize): Add scratch_pool parameter
and use it for temporary data.
(req_check_access): Pass r->pool as scratch_pool to
get_username_to_authorize() and get_access_conf().
(subreq_bypass2): New. Implementation extracted from subreq_bypass.
(subreq_bypass): Create scratch_pool and call subreq_bypass2.
Modified:
subversion/trunk/subversion/mod_authz_svn/mod_authz_svn.c
Modified: subversion/trunk/subversion/mod_authz_svn/mod_authz_svn.c
URL: http://svn.apache.org/viewvc/subversion/trunk/subversion/mod_authz_svn/mod_authz_svn.c?rev=1387943&r1=1387942&r2=1387943&view=diff
==============================================================================
--- subversion/trunk/subversion/mod_authz_svn/mod_authz_svn.c (original)
+++ subversion/trunk/subversion/mod_authz_svn/mod_authz_svn.c Thu Sep 20 10:18:39 2012
@@ -44,6 +44,7 @@
#include "svn_config.h"
#include "svn_string.h"
#include "svn_repos.h"
+#include "svn_pools.h"
#include "svn_dirent_uri.h"
#include "private/svn_fspath.h"
@@ -164,7 +165,8 @@ static const command_rec authz_svn_cmds[
* Get the, possibly cached, svn_authz_t for this request.
*/
static svn_authz_t *
-get_access_conf(request_rec *r, authz_svn_config_rec *conf)
+get_access_conf(request_rec *r, authz_svn_config_rec *conf,
+ apr_pool_t *scratch_pool)
{
const char *cache_key = NULL;
const char *access_file;
@@ -182,7 +184,7 @@ get_access_conf(request_rec *r, authz_sv
ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, "%s", dav_err->desc);
return NULL;
}
- access_file = svn_dirent_join_many(r->pool, repos_path, "conf",
+ access_file = svn_dirent_join_many(scratch_pool, repos_path, "conf",
conf->repo_relative_access_file,
NULL);
}
@@ -194,7 +196,7 @@ get_access_conf(request_rec *r, authz_sv
ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
"Path to authz file is %s", access_file);
- cache_key = apr_pstrcat(r->pool, "mod_authz_svn:",
+ cache_key = apr_pstrcat(scratch_pool, "mod_authz_svn:",
access_file, (char *)NULL);
apr_pool_userdata_get(&user_data, cache_key, r->connection->pool);
access_conf = user_data;
@@ -243,12 +245,13 @@ convert_case(char *text, svn_boolean_t t
/* Return the username to authorize, with case-conversion performed if
CONF->force_username_case is set. */
static char *
-get_username_to_authorize(request_rec *r, authz_svn_config_rec *conf)
+get_username_to_authorize(request_rec *r, authz_svn_config_rec *conf,
+ apr_pool_t *pool)
{
char *username_to_authorize = r->user;
if (username_to_authorize && conf->force_username_case)
{
- username_to_authorize = apr_pstrdup(r->pool, r->user);
+ username_to_authorize = apr_pstrdup(pool, r->user);
convert_case(username_to_authorize,
strcasecmp(conf->force_username_case, "upper") == 0);
}
@@ -283,7 +286,8 @@ req_check_access(request_rec *r,
svn_authz_t *access_conf = NULL;
svn_error_t *svn_err;
char errbuf[256];
- const char *username_to_authorize = get_username_to_authorize(r, conf);
+ const char *username_to_authorize = get_username_to_authorize(r, conf,
+ r->pool);
switch (r->method_number)
{
@@ -419,7 +423,7 @@ req_check_access(request_rec *r,
}
/* Retrieve/cache authorization file */
- access_conf = get_access_conf(r,conf);
+ access_conf = get_access_conf(r,conf, r->pool);
if (access_conf == NULL)
return DECLINED;
@@ -577,14 +581,13 @@ log_access_verdict(LOG_ARGS_SIGNATURE,
}
/*
- * This function is used as a provider to allow mod_dav_svn to bypass the
- * generation of an apache request when checking GET access from
- * "mod_dav_svn/authz.c" .
+ * Implementation of subreq_bypass with scratch_pool parameter.
*/
static int
-subreq_bypass(request_rec *r,
- const char *repos_path,
- const char *repos_name)
+subreq_bypass2(request_rec *r,
+ const char *repos_path,
+ const char *repos_name,
+ apr_pool_t *scratch_pool)
{
svn_error_t *svn_err = NULL;
svn_authz_t *access_conf = NULL;
@@ -595,7 +598,7 @@ subreq_bypass(request_rec *r,
conf = ap_get_module_config(r->per_dir_config,
&authz_svn_module);
- username_to_authorize = get_username_to_authorize(r, conf);
+ username_to_authorize = get_username_to_authorize(r, conf, scratch_pool);
/* If configured properly, this should never be true, but just in case. */
if (!conf->anonymous
@@ -606,7 +609,7 @@ subreq_bypass(request_rec *r,
}
/* Retrieve authorization file */
- access_conf = get_access_conf(r, conf);
+ access_conf = get_access_conf(r, conf, scratch_pool);
if (access_conf == NULL)
return HTTP_FORBIDDEN;
@@ -620,7 +623,7 @@ subreq_bypass(request_rec *r,
username_to_authorize,
svn_authz_none|svn_authz_read,
&authz_access_granted,
- r->pool);
+ scratch_pool);
if (svn_err)
{
ap_log_rerror(APLOG_MARK, APLOG_ERR,
@@ -650,6 +653,26 @@ subreq_bypass(request_rec *r,
}
/*
+ * This function is used as a provider to allow mod_dav_svn to bypass the
+ * generation of an apache request when checking GET access from
+ * "mod_dav_svn/authz.c" .
+ */
+static int
+subreq_bypass(request_rec *r,
+ const char *repos_path,
+ const char *repos_name)
+{
+ int status;
+ apr_pool_t *scratch_pool;
+
+ scratch_pool = svn_pool_create(r->pool);
+ status = subreq_bypass2(r, repos_path, repos_name, scratch_pool);
+ svn_pool_destroy(scratch_pool);
+
+ return status;
+}
+
+/*
* Hooks
*/