You are viewing a plain text version of this content. The canonical link for it is here.
Posted to bugs@httpd.apache.org by bu...@apache.org on 2014/01/20 20:17:11 UTC
[Bug 56038] New: mod_session excludes not processed correctly
https://issues.apache.org/bugzilla/show_bug.cgi?id=56038
Bug ID: 56038
Summary: mod_session excludes not processed correctly
Product: Apache httpd-2
Version: 2.4.7
Hardware: PC
OS: Linux
Status: NEW
Severity: major
Priority: P2
Component: mod_session
Assignee: bugs@httpd.apache.org
Reporter: erik@adaptations.com
In line 72 of mod_session.c
for (i = 0; included && i < conf->includes->nelts; i++) {
conf->includes->nelts is used for the loop condition, but this is a loop for
conf->excludes. Unless the # of SessionInclude directives is exactly the same
as SessionExclude, this loop will not be processed correctly.
In addition, when the loop is indeed processed, the string comparison does not
appear to be coded correctly. On line 75
if (strncmp(r->uri, exclude, strlen(exclude))) {
should be
if (strncmp(r->uri, exclude, strlen(exclude)) == 0) {
because strncmp will return 0 for a match.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
[Bug 56038] mod_session excludes not processed correctly
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=56038
--- Comment #5 from Jeff Trawick <tr...@apache.org> ---
>Is svn 2.4.x the same as 2.4.FUTURE you refer to or 2.4-HEAD in Bugzilla, and the same branch that will be receiving updates since 2.4.7?
All the same... "FUTURE" is simply intended to refer to a future 2.4.x
release. 2.4.8, 2.4.9, etc.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
[Bug 56038] mod_session excludes not processed correctly
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=56038
--- Comment #4 from Erik Pearson <er...@adaptations.com> ---
Great!
I don't know the magic incantations for, nor should I probably use,
httpd-trunk. Is svn 2.4.x the same as 2.4.FUTURE you refer to or 2.4-HEAD in
Bugzilla, and the same branch that will be receiving updates since 2.4.7?
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
[Bug 56038] mod_session excludes not processed correctly
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=56038
--- Comment #1 from Jeff Trawick <tr...@apache.org> ---
The prior strncmp() also needs the same fix (add "== 0"), right?
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
[Bug 56038] mod_session excludes not processed correctly
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=56038
Graham Leggett <mi...@sharp.fm> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |RESOLVED
Resolution|--- |FIXED
--- Comment #6 from Graham Leggett <mi...@sharp.fm> ---
Backported to v2.4.8.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
[Bug 56038] mod_session excludes not processed correctly
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=56038
--- Comment #3 from Jeff Trawick <tr...@apache.org> ---
Committed to trunk as r1559828 (Please check at
http://svn.apache.org/viewvc?view=revision&revision=r1559828)
Also proposed for backport to 2.4.future.
Style considerations: There are plenty of examples in the entire codebase of
both ([!]strncmp()) and (strncmp() ==/!= 0), and no working examples in the
rest of mod_session.c to consider, so I don't think it is important either way.
I went with your suggestion of "== 0". An APR function implement the
starts-with check might be nice, but in absence of that I don't think a macro
is worth pursuing.
New rexec feature: Open another issue and mark as enhancement.
Thanks!
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
[Bug 56038] mod_session excludes not processed correctly
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=56038
--- Comment #2 from Erik Pearson <er...@adaptations.com> ---
Yes, it would.
BTW shouldn't the actual fix be according to Apache coding standards, whatever
that is? I haven't truly coded in C for years. A quick scan of the source tree
shows mixed usage of strncmp(). Often it is treated as a boolean; other times
as an integer with a numeric comparison.
I would think from a code clarity position, the integer comparisons, with ==0
for a match and !=0 for a non-match, would be best. The boolean usage reads
counter for me -- you have to use !strncmp() to mean a match. Although for C
programmers the idiom may be second nature.
Maybe a macro like STARTS_WITH would have been clearer?
In this case, and out of scope of this bug, I would argue that this should be a
regex comparison -- it will likely be matched to authentication requirements.
That is, to avoid the session overhead on nonauthenticated resources, one would
probably want to use the same expression here as in a LocationMatch or whatever
is used to set up a pattern for authentication.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org