On Thu, Oct 28, 2004 at 03:19:32PM -0400, Geoffrey Young wrote: > > > [EMAIL PROTECTED] wrote: > > jorton 2004/10/25 06:04:14 > > > > Modified: perl-framework/t/conf extra.conf.in > > Added: perl-framework/t/htdocs/security CAN-2004-0940.shtml > > perl-framework/t/security CAN-2004-0940.t > > Log: > > Regression test for CAN-2004-0940, 1.3 mod_include overflow. > > hi joe :) > > I get the following failures on 1.3.32 but not on 1.3.33. > > t/modules/rewrite.t 22 2 9.09% 18 20 > t/security/CAN-2004-0940.t 1 1 100.00% 1
Those bugs are present in 1.3.32, so that's expected. > t/security/CAN-2004-0958.t 9 2 22.22% 1 3 Did you change PHP version too? That's a PHP test, the result shouldn't change unless you change PHP version too with 1.3.33? > I think these are all recent additions from you. should each of these > failures be skipped unless something like > > ( have_apache(1) && have_min_apache_version(1.3.33) ) || > ( have_apache(2) && have_min_apache_version(2.0.XX) ) Welll... we started having this debate a while back :) Here's my take: I think it's correct to: 1) only test for new features in versions on which they are known to be present 2) test for bugs in all versions unconditionally in all affected versions I think it's the desired outcome that if you test 1.3.32 for CAN-2004-0940, it should fail: 1.3.32 is after all vulnerable to CAN-2004-0940. Why hide that by skipping the test? Likewise, if you're running 1.3.32 you *should* be told that there is a nasty mod_rewrite regression in that version. Maybe I'm hawking my corporate agenda here a little too, because it makes httpd-test slightly more useful to me since I can test for 1.3.x + backported patch, whereas if the test was skipped for <1.3.33 it won't demonstrate that the code is patched. Does that make sense? joe