Bug 55304 - [PATCH] mod_dav should not validate parent when handling COPY
[PATCH] mod_dav should not validate parent when handling COPY
Status: RESOLVED FIXED
Product: Apache httpd-2
Classification: Unclassified
Component: mod_dav
2.5-HEAD
PC Mac OS X 10.4
: P2 normal (vote)
: ---
Assigned To: Apache HTTPD Bugs Mailing List
: PatchAvailable
Depends on:
Blocks:
  Show dependency tree
 
Reported: 2013-07-24 19:31 UTC by Ben Reser
Modified: 2013-10-21 20:51 UTC (History)
4 users (show)



Attachments
Only validate the parent in the case of MOVE and not COPY. (1.16 KB, text/plain)
2013-07-24 19:31 UTC, Ben Reser
Details
Only validate the parent in the case of MOVE and not COPY. (1.19 KB, patch)
2013-07-24 20:54 UTC, Ben Reser
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Ben Reser 2013-07-24 19:31:45 UTC
Created attachment 30623 [details]
Only validate the parent in the case of MOVE and not COPY.

The fix that was applied for PR54610 changed mod_dav to run the dav_validate_request() function on COPY requests as well as MOVE requests.  This was done by effectively just removing the if block around the existing MOVE case.

The URI of the COPY and MOVE requests is the source of the node to be copied or moved.  So DAV_VALIDATE_PARENT ends up asking the DAV provider module for the parent resource.  As the comment above this call mentions this makes sense for a MOVE since the parent of the node being moved is modified by the move.  However, in the case of a COPY it is not.

If the source happens to be the root of the DAV repository, then there will be no parent to provide.  This isn't a problem for MOVE because there's no logical way to handle moving the root, however a COPY of the root is allowed.  A properly implemented DAV provider will return NULL for the parent resource and as a result the COPY from the root will fail incorrectly.

This issue causes the Subversion test suite to fail prior to Subversion 1.7.11 and 1.8.1 when we put a fix in for a bug in our code get_parent_resource() code that was asserting when run against the root.  We still have another bug where for some resources we are not returning NULL like we should be (as mentioned above) when asked for the parent of the root.  Without this issue being fixed we can't fix our bug.

So an easy way to reproduce this issue would be simply to run the SVN test suite with a checkout from the Subversion repo before r1503528 (when the issue was fixed on trunk).  You'll see authz_tests.py 17 fail and some tests later on.
Comment 1 Ben Reser 2013-07-24 20:54:42 UTC
Created attachment 30625 [details]
Only validate the parent in the case of MOVE and not COPY.

Updated the patch to use DAV_VALIDATE_RESOURCE flag when it's a COPY.  This doesn't actually change any behavior since dav_validate_request() never looks at that flag, but all the other callers use it, so this case should use it in case the implementation changes.
Comment 2 Greg Stein 2013-07-24 21:10:07 UTC
Fixed in r1506714.
Comment 3 Joe Orton 2013-08-19 19:28:03 UTC
Merged for 2.2.x: http://svn.apache.org/r1515569
Comment 4 Mark Phippard 2013-10-21 14:08:48 UTC
Does anyone, perhaps Joe?, happen to know if the mod_dav change that created this regression was back ported to Red Hat's Apache distribution?  IOW, is Red Hat's current Apache module in need of this fix?
Comment 5 Joe Orton 2013-10-21 20:51:19 UTC
Mark, we don't backport regressions ;)  More seriously - Red Hat has many distributions of httpd so it depends what you mean, perhaps better to take the q off-line.