date:20160305

Bug report for Apache httpd-2 [2016/03/06]

2016-03-05 Thread bugzilla

+---+
| Bugzilla Bug ID   |
| +-+
| | Status: UNC=Unconfirmed NEW=New ASS=Assigned|
| | OPN=ReopenedVER=Verified(Skipped Closed/Resolved)   |
| |   +-+
| |   | Severity: BLK=Blocker CRI=Critical  REG=Regression  MAJ=Major   |
| |   |   MIN=Minor   NOR=NormalENH=Enhancement TRV=Trivial |
| |   |   +-+
| |   |   | Date Posted |
| |   |   |  +--+
| |   |   |  | Description  |
| |   |   |  |  |
| 8713|Inf|Min|2002-05-01|No Errorlog on PROPFIND/Depth:Infinity|
| 8867|Opn|Cri|2002-05-07|exports.c generation fails when using a symlink to|
|10747|New|Maj|2002-07-12|ftp SIZE command and 'smart' ftp servers results i|
|11294|New|Enh|2002-07-30|desired vhost_alias option|
|11580|Opn|Enh|2002-08-09|generate Content-Location headers |
|12033|Opn|Nor|2002-08-26|Graceful restart immediately result in [warn] long|
|13599|Inf|Nor|2002-10-14|autoindex formating broken for multibyte sequences|
|13661|Ass|Enh|2002-10-15|Apache cannot not handle dynamic IP reallocation  |
|14104|Opn|Enh|2002-10-30|not documented: must restart server to load new CR|
|14496|New|Enh|2002-11-13|Cannot upgrade any version on Windows. Must uninst|
|14922|Inf|Enh|2002-11-28| is currently hardcoded to 'apache2'  |
|15719|Inf|Nor|2002-12-30|WebDAV MOVE to destination URI which is content-ne|
|16761|Inf|Nor|2003-02-04|CustomLog with pipe spawns process during config  |
|16802|New|Enh|2003-02-05|Additional AllowOverride directive "Restrict" |
|16811|Ass|Maj|2003-02-05|mod_autoindex always return webpages in UTF-8.|
|17107|New|Min|2003-02-16|Windows should not install printenv   |
|17114|New|Enh|2003-02-17|Please add strip and install-strip targets to Make|
|17244|Ass|Nor|2003-02-20|./configure --help gives false information regardi|
|17497|Opn|Nor|2003-02-27|mod_mime_magic generates incorrect response header|
|18325|New|Enh|2003-03-25|PAM support for suEXEC|
|18334|Inf|Cri|2003-03-25|Server crashes when authenticating users against L|
|19043|New|Min|2003-04-15|Interesting interaction between cern_meta module a|
|19670|New|Enh|2003-05-05|content type header supplied upon PUT is thrown aw|
|20036|Ass|Nor|2003-05-19|Trailing Dots stripped from PATH_INFO environment |
|21260|New|Nor|2003-07-02|CacheMaxExpire directive not enforced !   |
|21533|Ass|Cri|2003-07-11|Multiple levels of htacces files can cause mod_aut|
|22237|New|Enh|2003-08-08|option to disable ServerSignature on index pages  |
|22484|Opn|Maj|2003-08-16|semaphore problem takes httpd down|
|22686|Opn|Nor|2003-08-25|ab: apr_poll: The timeout specified has expired (7|
|22898|Opn|Nor|2003-09-02|nph scripts with two HTTP header  |
|23167|Inf|Cri|2003-09-14|--enable-layout never goes to apr apr-util|
|23181|New|Nor|2003-09-15|Status 304 (Not modified) and chunking leads to an|
|23238|New|Cri|2003-09-18|non-async-signal-safe operations from signal handl|
|23330|New|Enh|2003-09-22|Enhance ApacheMonitor to view and control Tomcat s|
|23911|Opn|Cri|2003-10-18|CGI processes left defunct/zombie under 2.0.54|
|24031|New|Enh|2003-10-23|Passphrase protected private key in SSLProxyMachin|
|24095|Opn|Cri|2003-10-24|ERROR "Parent: child process exited with status 32|
|24437|Opn|Nor|2003-11-05|mod_auth_ldap doubly-escapes backslash (\) charact|
|24890|Opn|Nor|2003-11-21|Apache config parser should not be local aware ( g|
|25014|New|Enh|2003-11-26|A flexible interface for mod_log_config   |
|25201|New|Enh|2003-12-04|Provide Cache Purge operation |
|25240|Inf|Enh|2003-12-05|SSL Library Error: 336105671 logged as information|
|25435|New|Enh|2003-12-11|sethandler and directoryindex not playing nice|
|25469|Opn|Enh|2003-12-12|create AuthRoot for defining paths to auth files  |
|25484|Ass|Nor|2003-12-12|Non-service Apache cannot be stopped in WinXP |
|25543|Inf|Nor|2003-12-15|mod_proxy_ajp overwrites existing response headers|
|25667|New|Nor|2003-12-19|Memory leak in function ssl_scache_dbm_retrieve().|
|25863|New|Enh|2004-01-02|new per-host initialization hooks |
|26005|New|Nor|2004-01-08|SERVER_NAME incorrect when using IPv6 address in U|
|26142|New|Maj|2004-01-14|EnableSendFile Off for Windows XP Home|
|26153|Opn|Cri|2004-01-15|Apache cygwin directory traversal vulnerability   |
|26368|New|Min|

Re: access control for dynamic hosts (vote?)

2016-03-05 Thread Fabien



Hello Apache developers,


Unfortunately I think you need to pick an awkward name here so it
cannot be confused/misused.  Like "forward-dns"


Attached is a patch against the sources, including a documentation, 
which use the syntax "Require forward-dns foo.apache.org".


The second file is the same extension as an external module, for easy 
testing. The only difference with the integrated version is the error 
messages text which are given the function name instead of en APLOGNO, and 
the absence of documentation.


I'm proposing to commit the patch if I'm given a go.

Vote?

--
Fabien.Index: docs/log-message-tags/next-number
===
--- docs/log-message-tags/next-number	(revision 1733559)
+++ docs/log-message-tags/next-number	(working copy)
@@ -1 +1 @@
-3354
+3357
Index: docs/manual/mod/mod_authz_host.xml
===
--- docs/manual/mod/mod_authz_host.xml	(revision 1733559)
+++ docs/manual/mod/mod_authz_host.xml	(working copy)
@@ -58,7 +58,8 @@
 Apache's Require
 directive is used during the authorization phase to ensure that a user is allowed or
 denied access to a resource.  mod_authz_host extends the
-authorization types with ip, host and local.
+authorization types with ip, host,
+forward-dns and local.
 Other authorization types may also be
 used but may require that additional authorization modules be loaded.
 
@@ -157,6 +158,29 @@
 
 
 
+Require forward-dns
+
+The forward-dns provider allows access to the server
+to be controlled based on simple host names.  When
+Require forward-dns host-name is specified,
+all IP addresses corresponding to host-name
+are allowed access.
+
+In contrast to the host provider, this provider does not
+rely on reverse DNS lookups: it simply queries the DNS for the host name
+and allows a client if its IP matches.  As a consequence, it will only
+work with host names, not domain names.  However, as the reverse DNS is
+not used, it will work with clients which use a dynamic DNS service.
+
+
+Require forward-dns bla.example.org
+
+
+A client the IP of which is resolved from the name
+bla.example.org will be granted access.
+
+
+
 Require local
 
 The local provider allows access to the server if any
Index: modules/aaa/mod_authz_host.c
===
--- modules/aaa/mod_authz_host.c	(revision 1733559)
+++ modules/aaa/mod_authz_host.c	(working copy)
@@ -216,6 +216,71 @@
 return AUTHZ_DENIED;
 }
 
+static authz_status
+forward_dns_check_authorization(request_rec *r,
+const char *require_line,
+const void *parsed_require_line)
+{
+const char *err = NULL;
+const ap_expr_info_t *expr = parsed_require_line;
+const char *require, *t;
+char *w;
+
+/* the require line is an expression, which is evaluated now. */
+require = ap_expr_str_exec(r, expr, &err);
+if (err) {
+  ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(03354)
+"Can't evaluate require expression: %s", err);
+  return AUTHZ_DENIED;
+}
+
+/* tokenize expected list of names */
+t = require;
+while ((w = ap_getword_conf(r->pool, &t)) && w[0]) {
+
+apr_sockaddr_t *sa;
+apr_status_t rv;
+char *hash_ptr;
+
+/* stop on apache configuration file comments */
+if ((hash_ptr = ap_strchr(w, '#'))) {
+if (hash_ptr == w) {
+break;
+}
+*hash_ptr = '\0';
+}
+
+/* does the client ip match one of the names? */
+rv = apr_sockaddr_info_get(&sa, w, APR_UNSPEC, 0, 0, r->pool);
+if (rv == APR_SUCCESS) {
+
+while (sa) {
+int match = apr_sockaddr_equal(sa, r->useragent_addr);
+
+ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(03355)
+  "access check for %s as '%s': %s",
+  r->useragent_ip, w, match? "yes": "no");
+if (match) {
+return AUTHZ_GRANTED;
+}
+
+sa = sa->next;
+}
+}
+else {
+ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r, APLOGNO(03356)
+  "No sockaddr info for \"%s\"", w);
+}
+
+/* stop processing, we are in a comment */
+if (hash_ptr) {
+break;
+}
+}
+
+return AUTHZ_DENIED;
+}
+
 static authz_status local_check_authorization(request_rec *r,
   const char *require_line,
   const void *parsed_require_line)
@@ -265,6 +330,12 @@
 &host_parse_config,
 };
 
+static const authz_provider authz_forward_dns_provider =
+{
+&forward_dns_check_aut

Add ?? mod_prox_http2 for NetWare build - Take 2

2016-03-05 Thread NormW


G/M,
This supercedes Take 1 due to additional exports now needed by 
mod_proxy_http2 from mod_proxy and mod_http2.

Same caveat applies re tweaks to mod_proxy_http2 source files.
Norm
#
# This Makefile requires the environment var NGH2SRC
# pointing to the base directory of nghttp2 source tree.
#

#
# Declare the sub-directories to be built here
#

SUBDIRS = \
$(EOLIST)

#
# Get the 'head' of the build environment.  This includes default targets and
# paths to tools
#

include $(AP_WORK)/build/NWGNUhead.inc

#
# build this level's files
#
# Make sure all needed macro's are defined
#

#
# These directories will be at the beginning of the include list, followed by
# INCDIRS
#
XINCDIRS+= \
$(APR)/include \
$(APRUTIL)/include \
$(SRC)/include \
$(NGH2SRC)/lib/includes \
$(STDMOD)/proxy \
$(SERVER)/mpm/NetWare \
$(NWOS) \
$(EOLIST)

#
# These flags will come after CFLAGS
#
XCFLAGS += \
$(EOLIST)

#
# These defines will come after DEFINES
#
XDEFINES+= \
$(EOLIST)

#
# These flags will be added to the link.opt file
#
XLFLAGS += \
-L$(OBJDIR) \
$(EOLIST)

#
# These values will be appended to the correct variables based on the value of
# RELEASE
#
ifeq "$(RELEASE)" "debug"
XINCDIRS+= \
$(EOLIST)

XCFLAGS += \
$(EOLIST)

XDEFINES+= \
$(EOLIST)

XLFLAGS += \
$(EOLIST)
endif

ifeq "$(RELEASE)" "noopt"
XINCDIRS+= \
$(EOLIST)

XCFLAGS += \
$(EOLIST)

XDEFINES+= \
$(EOLIST)

XLFLAGS += \
$(EOLIST)
endif

ifeq "$(RELEASE)" "release"
XINCDIRS+= \
$(EOLIST)

XCFLAGS += \
$(EOLIST)

XDEFINES+= \
$(EOLIST)

XLFLAGS += \
$(EOLIST)
endif

#
# These are used by the link target if an NLM is being generated
# This is used by the link 'name' directive to name the nlm.  If left blank
# TARGET_nlm (see below) will be used.
#
NLM_NAME= proxyht2

#
# This is used by the link '-desc ' directive.
# If left blank, NLM_NAME will be used.
#
NLM_DESCRIPTION = Apache $(VERSION_STR) HTTP2 Proxy module
#
# This is used by the '-threadname' directive.  If left blank,
# NLM_NAME Thread will be used.
#
NLM_THREAD_NAME = $(NLM_NAME)

#
# If this is specified, it will override VERSION value in
# $(AP_WORK)/build/NWGNUenvironment.inc
#
NLM_VERSION =

#
# If this is specified, it will override the default of 64K
#
NLM_STACK_SIZE  = 65536

#
# If this is specified it will be used by the link '-entry' directive
#
NLM_ENTRY_SYM   =

#
# If this is specified it will be used by the link '-exit' directive
#
NLM_EXIT_SYM=

#
# If this is specified it will be used by the link '-check' directive
#
NLM_CHECK_SYM   =

#
# If this is specified it will be used by the link '-flags' directive
#
NLM_FLAGS   =

#
# If this is specified it will be linked in with the XDCData option in the def
# file instead of the default of $(NWOS)/apache.xdc.  XDCData can be disabled
# by setting APACHE_UNIPROC in the environment
#
XDCDATA =

#
# Declare all target files (you must add your files here)
#

#
# If there is an NLM target, put it here
#
TARGET_nlm = \
$(OBJDIR)/$(NLM_NAME).nlm \
$(EOLIST)

#
# If there is an LIB target, put it here
#
TARGET_lib = \
$(EOLIST)

#
# These are the OBJ files needed to create the NLM target above.
# Paths must all use the '/' character
#
FILES_nlm_objs = \
$(OBJDIR)/mod_proxy_http2.o \
$(OBJDIR)/h2_proxy_session.o \
$(EOLIST)

#
# These are the LIB files needed to create the NLM target above.
# These will be added as a library command in the link.opt file.
#
FILES_nlm_libs = \
$(PRELUDE) \
$(EOLIST)

#
# These are the modules that the above NLM target depends on to load.
# These will be added as a module command in the link.opt file.
#
FILES_nlm_modules = \
Libc \
Apache2 \
mod_proxy \
mod_http2 \
$(EOLIST)

#
# If the nlm has a msg file, put it's path here
#
FILE_nlm_msg =

#
# If the nlm has a hlp file put it's path here
#
FILE_nlm_hlp =

#
# If this is specified, it will override $(NWOS)\copyright.txt.
#
FILE_nlm_copyright =

#
# Any additional imports go here
#
FILES_nlm_Ximports = \
@libc.imp \
@aprlib.imp \
@httpd.imp \
@$(OBJDIR)/mod_http2.imp \
ap_proxy_acquire_connection \
ap_proxy_canon_netloc \
ap_proxy_canonenc \
ap_proxy_connect_backend \

Static code checker research worth investigating (Communications of the ACM, 03/2016, Vol. 59, No. 03, p. 99)

2016-03-05 Thread Tom Browder

Interesting article in latest issue of subject titled:

  "A Differential Approach to Undefined Behavior Detection"

which may describe procedures not used in other static analysis programs.

Article references the authors' website here:

  http://css.csail.mit.edu/stack

which contains more info links and a link to the software on github here:

  https://github.com/xiw/stack

Best regards,

-Tom

Bug report for Apache httpd-2 [2016/03/06]

Re: access control for dynamic hosts (vote?)

Add ?? mod_prox_http2 for NetWare build - Take 2

Static code checker research worth investigating (Communications of the ACM, 03/2016, Vol. 59, No. 03, p. 99)

4 matches

Site Navigation

Mail list logo

Footer information