Author: svn-role Date: Tue Mar 29 04:00:37 2022 New Revision: 1899331 URL: http://svn.apache.org/viewvc?rev=1899331&view=rev Log: Merge the r1883838 group from trunk:
* r1883838, r1883989, r1886460, r1886582, r1892121 Add test coverage for CVE-2020-17525 (mod_authz_svn NULL deref) Votes: +1: stsp, markphip, dsahlberg Modified: subversion/branches/1.10.x/ (props changed) subversion/branches/1.10.x/STATUS subversion/branches/1.10.x/subversion/tests/cmdline/davautocheck.sh subversion/branches/1.10.x/subversion/tests/cmdline/mod_authz_svn_tests.py Propchange: subversion/branches/1.10.x/ ------------------------------------------------------------------------------ Merged /subversion/trunk:r1883838,1883989,1886460,1886582,1892121 Modified: subversion/branches/1.10.x/STATUS URL: http://svn.apache.org/viewvc/subversion/branches/1.10.x/STATUS?rev=1899331&r1=1899330&r2=1899331&view=diff ============================================================================== --- subversion/branches/1.10.x/STATUS (original) +++ subversion/branches/1.10.x/STATUS Tue Mar 29 04:00:37 2022 @@ -31,11 +31,6 @@ Veto-blocked changes: Approved changes: ================= - * r1883838, r1883989, r1886460, r1886582, r1892121 - Add test coverage for CVE-2020-17525 (mod_authz_svn NULL deref) - Votes: - +1: stsp, markphip, dsahlberg - * r1894734 Fix issue #4880, "Use-after-free of object-pools when running in httpd" Justification: Modified: subversion/branches/1.10.x/subversion/tests/cmdline/davautocheck.sh URL: http://svn.apache.org/viewvc/subversion/branches/1.10.x/subversion/tests/cmdline/davautocheck.sh?rev=1899331&r1=1899330&r2=1899331&view=diff ============================================================================== --- subversion/branches/1.10.x/subversion/tests/cmdline/davautocheck.sh (original) +++ subversion/branches/1.10.x/subversion/tests/cmdline/davautocheck.sh Tue Mar 29 04:00:37 2022 @@ -527,10 +527,9 @@ CustomLog "$HTTPD_ROOT/ops" "% <Location /svn-test-work/repositories> __EOF__ -location_common() { +location_common_without_authz() { cat >> "$HTTPD_CFG" <<__EOF__ DAV svn - AuthzSVNAccessFile "$ABS_BUILDDIR/subversion/tests/cmdline/svn-test-work/authz" AuthType Basic AuthName "Subversion Repository" AuthUserFile $HTTPD_USERS @@ -540,6 +539,12 @@ cat >> "$HTTPD_CFG" <<__EOF__ SVNBlockRead ${BLOCK_READ_SETTING} __EOF__ } +location_common() { +location_common_without_authz +cat >> "$HTTPD_CFG" <<__EOF__ + AuthzSVNAccessFile "$ABS_BUILDDIR/subversion/tests/cmdline/svn-test-work/authz" +__EOF__ +} location_common cat >> "$HTTPD_CFG" <<__EOF__ SVNParentPath "$ABS_BUILDDIR/subversion/tests/cmdline/svn-test-work/repositories" @@ -582,6 +587,15 @@ cat >> "$HTTPD_CFG" <<__EOF__ </IfModule> ${SVN_PATH_AUTHZ_LINE} </Location> +<Location /authz-test-work/in-repos-authz> +__EOF__ +location_common_without_authz +cat >> "$HTTPD_CFG" <<__EOF__ + SVNParentPath "$ABS_BUILDDIR/subversion/tests/cmdline/svn-test-work/repositories" + Require valid-user + Satisfy Any + AuthzSVNReposRelativeAccessFile "^/authz" +</Location> <Location /authz-test-work/mixed> __EOF__ location_common Modified: subversion/branches/1.10.x/subversion/tests/cmdline/mod_authz_svn_tests.py URL: http://svn.apache.org/viewvc/subversion/branches/1.10.x/subversion/tests/cmdline/mod_authz_svn_tests.py?rev=1899331&r1=1899330&r2=1899331&view=diff ============================================================================== --- subversion/branches/1.10.x/subversion/tests/cmdline/mod_authz_svn_tests.py (original) +++ subversion/branches/1.10.x/subversion/tests/cmdline/mod_authz_svn_tests.py Tue Mar 29 04:00:37 2022 @@ -25,7 +25,7 @@ ###################################################################### # General modules -import os, re, logging +import os, re, logging, shutil logger = logging.getLogger() @@ -1043,6 +1043,73 @@ def authn_sallrall(sbox): verify_gets(test_area_url, sallrall_tests) +@SkipUnless(svntest.main.is_ra_type_dav) +def repos_relative_access_file(sbox): + "repos-relative access file" + + sbox.build() + + test_area_url = sbox.repo_url.replace('/svn-test-work/repositories/', + '/authz-test-work/in-repos-authz/') + + svntest.main.write_authz_file(sbox, {"/": "", "/A": "%s = rw" % user1}) + shutil.move(sbox.authz_file, os.path.join(sbox.wc_dir, 'authz')) + sbox.simple_add('authz') + svntest.actions.run_and_verify_svn(None, [], 'relocate', + sbox.file_protocol_repo_url(), sbox.wc_dir) + sbox.simple_commit(message="adding in-repository authz rules file") + + in_repos_authz_tests = ( + { 'path': '', 'status': 401, }, + { 'path': '/authz', 'status': 401, }, + { 'path': '/authz', 'user' : user1, 'pw' : user1_pass, + 'status': 403, }, + { 'path': '/A', 'user' : user1, 'pw' : user1_pass, + 'status': 301, }, + { 'path': '/A/', 'user' : user1, 'pw' : user1_pass, + 'status': 200, }, + ) + + verify_gets(test_area_url, in_repos_authz_tests) + +# test for the bug also known as CVE-2020-17525 +@SkipUnless(svntest.main.is_ra_type_dav) +def nonexistent_repos_relative_access_file(sbox): + "repos-relative access file with bad repository URL" + + sbox.build() + + test_area_url = sbox.repo_url.replace('/svn-test-work/repositories/', + '/authz-test-work/in-repos-authz/') + + # Construct a bad test-area URL to see what happens if we attempt to access + # a repository in a subdirectory which does not exist in SVNParentPath. + # This used to crash the server with a NULL-pointer dereference upon + # unauthenticated access. + test_area_url += '-this/does/not/exist' + + svntest.main.write_authz_file(sbox, {"/": "", "/A": "%s = rw" % user1}) + shutil.move(sbox.authz_file, os.path.join(sbox.wc_dir, 'authz')) + sbox.simple_add('authz') + svntest.actions.run_and_verify_svn(None, [], 'relocate', + sbox.file_protocol_repo_url(), sbox.wc_dir) + sbox.simple_commit(message="adding in-repository authz rules file") + + # access is denied across the board since this repository does not exist + in_repos_authz_tests = ( + { 'path': '', 'status': 401, }, + { 'path': '/authz', 'status': 401, }, + { 'path': '/authz', 'user' : user1, 'pw' : user1_pass, + 'status': 403, }, + { 'path': '/A', 'user' : user1, 'pw' : user1_pass, + 'status': 403, }, + { 'path': '/A/', 'user' : user1, 'pw' : user1_pass, + 'status': 403, }, + ) + + verify_gets(test_area_url, in_repos_authz_tests) + + ######################################################################## # Run the tests @@ -1058,6 +1125,8 @@ test_list = [ None, authn_group, authn_sallrany, authn_sallrall, + repos_relative_access_file, + nonexistent_repos_relative_access_file, ] serial_only = True