[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: Linux distributions and the Apache MMN

From: Philip Martin <philip.martin_at_wandisco.com>
Date: Wed, 12 Aug 2015 13:46:58 +0100

Philip Martin <philip.martin_at_wandisco.com> writes:

> Writing autoconf code to run grep on the httpd header file might be an
> option.

I worked up a patch. This has the added advantage the the detection now
happens earlier so broken httpd causes a configure error rather than a
compile error. It has the disadvantage that the obsolete apache 2.3.x
has to be treated as either 2.2 or 2.4 and neither is correct, 2.3.x
should be treated as 2.2 only up to MMN 20060110.0. I don't think 2.3
really matters.

Do we want to go this way?

Index: build/ac-macros/apache.m4
===================================================================
--- build/ac-macros/apache.m4 (revision 1695447)
+++ build/ac-macros/apache.m4 (working copy)
@@ -164,19 +164,37 @@
 
     AC_CHECK_HEADERS(unistd.h, [AC_CHECK_FUNCS(getpid)], [])
 
+ case "$HTTPD_MINOR" in
+ [[3-9]])
+ AC_ARG_ENABLE(broken-httpd-auth,
+ AS_HELP_STRING([--enable-broken-httpd-auth],
+ [Force build and against httpd 2.4 with broken auth]),
+ [broken_httpd_auth=$enableval],[broken_httpd_auth=no])
+ AC_MSG_CHECKING([for ap_some_authn_required])
+ old_CPPFLAGS="$CPPFLAGS"
+ CPPFLAGS="$CPPFLAGS $APACHE_INCLUDES $SVN_APR_INCLUDES"
+ AC_EGREP_CPP([int.*\sap_some_authn_required\s*\(],
+ [#include "http_request.h"],
+ [AC_MSG_RESULT([yes])
+ working_auth=yes],
+ [AC_MSG_RESULT([no])])
+ CPPFLAGS="$old_CPPFLAGS"
+ if test "$working_auth" = "yes" ; then
+ AC_DEFINE(SVN_USE_FORCE_AUTHN, 1,
+ [Defined to build against httpd 2.4 with working auth])
+ elif test "$enable_broken_httpd_auth" = "yes"; then
+ AC_MSG_WARN([==============================================])
+ AC_MSG_WARN([Subversion will be vulnerable to CVE-2015-3185])
+ AC_MSG_WARN([==============================================])
+ else
+ AC_MSG_ERROR([Apache httpd version $HTTPD_VERSION has broken auth (CVE-2015-3185)])
+ fi
+ ;;
+ esac
+
     BUILD_APACHE_RULE=apache-mod
     INSTALL_APACHE_RULE=install-mods-shared
     INSTALL_APACHE_MODS=true
- AC_ARG_ENABLE(broken-httpd-auth,
- AS_HELP_STRING([--enable-broken-httpd-auth],
- [Allow building against httpd 2.4 with broken auth]),
- [broken_httpd_auth=$enableval],[broken_httpd_auth=no])
- if test "$enable_broken_httpd_auth" = "yes"; then
- AC_MSG_NOTICE([Building with broken httpd auth])
- AC_DEFINE(SVN_ALLOW_BROKEN_HTTPD_AUTH, 1,
- [Defined to allow building against httpd 2.4 with broken auth])
- fi
-
     case $host in
       *-*-cygwin*)
         APACHE_LDFLAGS="-shrext .so"
Index: subversion/mod_authz_svn/mod_authz_svn.c
===================================================================
--- subversion/mod_authz_svn/mod_authz_svn.c (revision 1695447)
+++ subversion/mod_authz_svn/mod_authz_svn.c (working copy)
@@ -84,28 +84,9 @@
   const char *force_username_case;
 } authz_svn_config_rec;
 
-#if AP_MODULE_MAGIC_AT_LEAST(20060110,0) /* version where
- ap_some_auth_required breaks */
-# if AP_MODULE_MAGIC_AT_LEAST(20120211,47) /* first version with
- force_authn hook and
- ap_some_authn_required() which
- allows us to work without
- ap_some_auth_required() */
-# define USE_FORCE_AUTHN 1
-# define IN_SOME_AUTHN_NOTE "authz_svn-in-some-authn"
-# define FORCE_AUTHN_NOTE "authz_svn-force-authn"
-# else
- /* ap_some_auth_required() is busted and no viable alternative exists */
-# ifndef SVN_ALLOW_BROKEN_HTTPD_AUTH
-# error This version of httpd has a security hole with mod_authz_svn
-# else
- /* user wants to build anyway */
-# define USE_FORCE_AUTHN 0
-# endif
-# endif
-#else
- /* old enough that ap_some_auth_required() still works */
-# define USE_FORCE_AUTHN 0
+#ifdef SVN_USE_FORCE_AUTHN
+#define IN_SOME_AUTHN_NOTE "authz_svn-in-some-authn"
+#define FORCE_AUTHN_NOTE "authz_svn-force-authn"
 #endif
 
 /*
@@ -873,7 +854,7 @@
   const char *dest_repos_path = NULL;
   int status, authn_required;
 
-#if USE_FORCE_AUTHN
+#if SVN_USE_FORCE_AUTHN
   /* Use the force_authn() hook available in 2.4.x to work securely
    * given that ap_some_auth_required() is no longer functional for our
    * purposes in 2.4.x.
@@ -953,7 +934,7 @@
       if (!conf->authoritative)
         return DECLINED;
 
-#if USE_FORCE_AUTHN
+#if SVN_USE_FORCE_AUTHN
       if (authn_configured) {
           /* We have to check to see if authn is required because if so we must
            * return UNAUTHORIZED (401) rather than FORBIDDEN (403) since returning
@@ -1053,7 +1034,7 @@
   return OK;
 }
 
-#if USE_FORCE_AUTHN
+#if SVN_USE_FORCE_AUTHN
 static int
 force_authn(request_rec *r)
 {
@@ -1080,7 +1061,7 @@
    * give SSLOptions +FakeBasicAuth a chance to work. */
   ap_hook_check_user_id(check_user_id, mod_ssl, NULL, APR_HOOK_FIRST);
   ap_hook_auth_checker(auth_checker, NULL, NULL, APR_HOOK_FIRST);
-#if USE_FORCE_AUTHN
+#if SVN_USE_FORCE_AUTHN
   ap_hook_force_authn(force_authn, NULL, NULL, APR_HOOK_FIRST);
 #endif
   ap_register_provider(p,

-- 
Philip Martin
WANdisco
Received on 2015-08-12 14:47:29 CEST

This is an archived mail posted to the Subversion Dev mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.