# ./pullrev.sh 1692801 1694012

https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2015-3184

http://svn.apache.org/viewvc?view=revision&revision=1692801

http://svn.apache.org/viewvc?view=revision&revision=1694012

Excludes CVE-2015-3187 changes.  This patch requires an httpd

patched with the new API introduced for CVE-2015-3185.

--- subversion-1.7.14/build/ac-macros/apache.m4.cve3184

+++ subversion-1.7.14/build/ac-macros/apache.m4

@@ -85,6 +85,25 @@ VERSION_OKAY

         AC_MSG_RESULT(no - Unable to locate $APXS_INCLUDE/mod_dav.h)

         APXS=""

     fi

+    HTTPD="`$APXS -q sbindir`/`$APXS -q PROGNAME`"

+    if ! test -e $HTTPD ; then

+      HTTPD="`$APXS -q bindir`/`$APXS -q PROGNAME`"

+    fi

+    HTTPD_VERSION=["`$HTTPD -v | $SED -e 's@^.*/\([0-9.]*\)\(.*$\)@\1@ ; 1q'`"]

+    AC_ARG_ENABLE(broken-httpd-auth,

+      AS_HELP_STRING([--enable-broken-httpd-auth],

+                     [Allow building against httpd 2.4 with broken auth]),

+      [broken_httpd_auth=$enableval],[broken_httpd_auth=no])

+    if test "$enable_broken_httpd_auth" = "backport"; then

+      AC_MSG_NOTICE([Building with httpd as if 2.4.17 or later])

+      HTTPD_VERSION=2.4.17

+      AC_DEFINE(SVN_ALLOW_BROKEN_HTTPD_AUTH, 1,

+                [Defined to allow building against httpd 2.4 with broken auth])

+    elif test "$enable_broken_httpd_auth" = "yes"; then

+      AC_MSG_NOTICE([Building with broken httpd auth])

+      AC_DEFINE(SVN_ALLOW_BROKEN_HTTPD_AUTH, 1,

+                [Defined to allow building against httpd 2.4 with broken auth])

+    fi

 else

     AC_MSG_RESULT(no)

 fi

@@ -157,6 +176,7 @@ AC_SUBST(APXS)

 AC_SUBST(APACHE_LDFLAGS)

 AC_SUBST(APACHE_INCLUDES)

 AC_SUBST(APACHE_LIBEXECDIR)

+AC_SUBST(HTTPD_VERSION)

 # there aren't any flags that interest us ...

 #if test -n "$APXS" && test "$APXS" != "no"; then

--- subversion-1.7.14/build/run_tests.py.cve3184

+++ subversion-1.7.14/build/run_tests.py

@@ -29,6 +29,7 @@

             [--fs-type=<fs-type>] [--fsfs-packing] [--fsfs-sharding=<n>]

             [--list] [--milestone-filter=<regex>] [--mode-filter=<type>]

             [--server-minor-version=<version>]

+            [--httpd-version=<version>]

             [--config-file=<file>]

             <abs_srcdir> <abs_builddir>

             <prog ...>

@@ -81,7 +82,7 @@ class TestHarness:

                cleanup=None, enable_sasl=None, parallel=None, config_file=None,

                fsfs_sharding=None, fsfs_packing=None,

                list_tests=None, svn_bin=None, mode_filter=None,

-               milestone_filter=None):

+               milestone_filter=None, httpd_version=None):

     '''Construct a TestHarness instance.

     ABS_SRCDIR and ABS_BUILDDIR are the source and build directories.

@@ -130,6 +131,7 @@ class TestHarness:

     self.svn_bin = svn_bin

     self.mode_filter = mode_filter

     self.log = None

+    self.httpd_version = httpd_version

     if not sys.stdout.isatty() or sys.platform == 'win32':

       TextColors.disable()

@@ -414,6 +416,8 @@ class TestHarness:

       svntest.main.options.fsfs_packing = self.fsfs_packing

     if self.mode_filter is not None:

       svntest.main.options.mode_filter = self.mode_filter

+    if self.httpd_version is not None:

+      svntest.main.options.httpd_version = self.httpd_version

     svntest.main.options.srcdir = self.srcdir

@@ -562,7 +566,7 @@ def main():

                             'fsfs-packing', 'fsfs-sharding=',

                             'enable-sasl', 'parallel', 'config-file=',

                             'log-to-stdout', 'list', 'milestone-filter=',

-                            'mode-filter='])

+                            'mode-filter=', 'httpd-version='])

   except getopt.GetoptError:

     args = []

@@ -572,9 +576,10 @@ def main():

   base_url, fs_type, verbose, cleanup, enable_sasl, http_library, \

     server_minor_version, fsfs_sharding, fsfs_packing, parallel, \

-    config_file, log_to_stdout, list_tests, mode_filter, milestone_filter= \

+    config_file, log_to_stdout, list_tests, mode_filter, milestone_filter, \

+    httpd_version = \

             None, None, None, None, None, None, None, None, None, None, None, \

-            None, None, None, None

+            None, None, None, None, None

   for opt, val in opts:

     if opt in ['-u', '--url']:

       base_url = val

@@ -606,6 +611,8 @@ def main():

       milestone_filter = val

     elif opt in ['--mode-filter']:

       mode_filter = val

+    elif opt in ['--httpd-version']:

+      httpd_version = val

     else:

       raise getopt.GetoptError

@@ -620,7 +627,8 @@ def main():

                    base_url, fs_type, http_library, server_minor_version,

                    verbose, cleanup, enable_sasl, parallel, config_file,

                    fsfs_sharding, fsfs_packing, list_tests,

-                   mode_filter=mode_filter, milestone_filter=milestone_filter)

+                   mode_filter=mode_filter, milestone_filter=milestone_filter,

+                   httpd_version=httpd_version)

   failed = th.run(args[2:])

   if failed:

--- subversion-1.7.14/Makefile.in.cve3184

+++ subversion-1.7.14/Makefile.in

@@ -319,6 +319,7 @@ INSTALL_EXTRA_SWIG_RB=\

   done

 APXS = @APXS@

+HTTPD_VERSION = @HTTPD_VERSION@

 PYTHON = @PYTHON@

 PERL = @PERL@

@@ -466,6 +467,9 @@ check: bin @TRANSFORM_LIBTOOL_SCRIPTS@ $

 	  if test "$(HTTP_LIBRARY)" != ""; then                              \

 	    flags="--http-library $(HTTP_LIBRARY) $$flags";                  \

 	  fi;                                                                \

+	  if test "$(HTTPD_VERSION)" != ""; then                             \

+	    flags="--httpd-version $(HTTPD_VERSION) $$flags";                \

+	  fi;                                                                \

 	  if test "$(SERVER_MINOR_VERSION)" != ""; then                      \

 	    flags="--server-minor-version $(SERVER_MINOR_VERSION) $$flags";  \

 	  fi;                                                                \

--- subversion-1.7.14/subversion/mod_authz_svn/mod_authz_svn.c.cve3184

+++ subversion-1.7.14/subversion/mod_authz_svn/mod_authz_svn.c

@@ -48,6 +48,23 @@

 #include "svn_dirent_uri.h"

 #include "private/svn_fspath.h"

+/* The apache headers define these and they conflict with our definitions. */

+#ifdef PACKAGE_BUGREPORT

+#undef PACKAGE_BUGREPORT

+#endif

+#ifdef PACKAGE_NAME

+#undef PACKAGE_NAME

+#endif

+#ifdef PACKAGE_STRING

+#undef PACKAGE_STRING

+#endif

+#ifdef PACKAGE_TARNAME

+#undef PACKAGE_TARNAME

+#endif

+#ifdef PACKAGE_VERSION

+#undef PACKAGE_VERSION

+#endif

+#include "svn_private_config.h"

 extern module AP_MODULE_DECLARE_DATA authz_svn_module;

@@ -65,6 +82,30 @@ typedef struct authz_svn_config_rec {

   const char *force_username_case;

 } authz_svn_config_rec;

+#if AP_MODULE_MAGIC_AT_LEAST(20060110,0) /* version where

+                                            ap_some_auth_required breaks */

+#  if 1 || AP_MODULE_MAGIC_AT_LEAST(20120211,47) /* first version with

+                                               force_authn hook and

+                                               ap_some_authn_required() which

+                                               allows us to work without

+                                               ap_some_auth_required() */

+#    define USE_FORCE_AUTHN 1

+#    define IN_SOME_AUTHN_NOTE "authz_svn-in-some-authn"

+#    define FORCE_AUTHN_NOTE "authz_svn-force-authn"

+#  else

+     /* ap_some_auth_required() is busted and no viable alternative exists */

+#    ifndef SVN_ALLOW_BROKEN_HTTPD_AUTH

+#      error This version of httpd has a security hole with mod_authz_svn

+#    else

+       /* user wants to build anyway */

+#      define USE_FORCE_AUTHN 0

+#    endif

+#  endif

+#else

+   /* old enough that ap_some_auth_required() still works */

+#  define USE_FORCE_AUTHN 0

+#endif

+

 /*

  * Configuration

  */

@@ -682,7 +723,49 @@ access_checker(request_rec *r)

                                                     &authz_svn_module);

   const char *repos_path = NULL;

   const char *dest_repos_path = NULL;

-  int status;

+  int status, authn_required;

+

+#if USE_FORCE_AUTHN

+  /* Use the force_authn() hook available in 2.4.x to work securely

+   * given that ap_some_auth_required() is no longer functional for our

+   * purposes in 2.4.x.

+   */

+  int authn_configured;

+

+  /* We are not configured to run */

+  if (!conf->anonymous || apr_table_get(r->notes, IN_SOME_AUTHN_NOTE)

+      || (! (conf->access_file || conf->repo_relative_access_file)))

+    return DECLINED;

+

+  /* Authentication is configured */

+  authn_configured = ap_auth_type(r) != NULL;

+  if (authn_configured)

+    {

+      /* If the user is trying to authenticate, let him.  It doesn't

+       * make much sense to grant anonymous access but deny authenticated

+       * users access, even though you can do that with '$anon' in the

+       * access file.

+       */

+      if (apr_table_get(r->headers_in,

+                        (PROXYREQ_PROXY == r->proxyreq)

+                        ? "Proxy-Authorization" : "Authorization"))

+        {

+          /* Set the note to force authn regardless of what access_checker_ex

+             hook requires */

+          apr_table_setn(r->notes, FORCE_AUTHN_NOTE, (const char*)1);

+

+          /* provide the proper return so the access_checker hook doesn't

+           * prevent the code from continuing on to the other auth hooks */

+          if (ap_satisfies(r) != SATISFY_ANY)

+            return OK;

+          else

+            return HTTP_FORBIDDEN;

+        }

+    }    

+

+#else

+  /* Support for older versions of httpd that have a working

+   * ap_some_auth_required() */

   /* We are not configured to run */

   if (!conf->anonymous

@@ -697,9 +780,10 @@ access_checker(request_rec *r)

       if (ap_satisfies(r) != SATISFY_ANY)

         return DECLINED;

-      /* If the user is trying to authenticate, let him.  If anonymous

-       * access is allowed, so is authenticated access, by definition

-       * of the meaning of '*' in the access file.

+      /* If the user is trying to authenticate, let him.  It doesn't

+       * make much sense to grant anonymous access but deny authenticated

+       * users access, even though you can do that with '$anon' in the

+       * access file.

        */

       if (apr_table_get(r->headers_in,

                         (PROXYREQ_PROXY == r->proxyreq)

@@ -711,6 +795,7 @@ access_checker(request_rec *r)

           return HTTP_FORBIDDEN;

         }

     }

+#endif

   /* If anon access is allowed, return OK */

   status = req_check_access(r, conf, &repos_path, &dest_repos_path);

@@ -719,7 +804,26 @@ access_checker(request_rec *r)

       if (!conf->authoritative)

         return DECLINED;

+#if USE_FORCE_AUTHN

+      if (authn_configured) {

+          /* We have to check to see if authn is required because if so we must

+           * return UNAUTHORIZED (401) rather than FORBIDDEN (403) since returning

+           * the 403 leaks information about what paths may exist to

+           * unauthenticated users.  We must set a note here in order

+           * to use ap_some_authn_rquired() without triggering an infinite

+           * loop since the call will trigger this function to be called again. */

+          apr_table_setn(r->notes, IN_SOME_AUTHN_NOTE, (const char*)1);

+          authn_required = ap_some_authn_required(r);

+          apr_table_unset(r->notes, IN_SOME_AUTHN_NOTE);

+          if (authn_required)

+            {

+              ap_note_auth_failure(r);

+              return HTTP_UNAUTHORIZED;

+            }

+      }

+#else

       if (!ap_some_auth_required(r))

+#endif

         log_access_verdict(APLOG_MARK, r, 0, repos_path, dest_repos_path);

       return HTTP_FORBIDDEN;

@@ -800,6 +904,17 @@ auth_checker(request_rec *r)

   return OK;

 }

+#if USE_FORCE_AUTHN

+static int

+force_authn(request_rec *r)

+{

+  if (apr_table_get(r->notes, FORCE_AUTHN_NOTE))

+    return OK;

+

+  return DECLINED;

+}

+#endif

+

 /*

  * Module flesh

  */

@@ -816,6 +931,9 @@ register_hooks(apr_pool_t *p)

    * give SSLOptions +FakeBasicAuth a chance to work. */

   ap_hook_check_user_id(check_user_id, mod_ssl, NULL, APR_HOOK_FIRST);

   ap_hook_auth_checker(auth_checker, NULL, NULL, APR_HOOK_FIRST);

+#if USE_FORCE_AUTHN

+  ap_hook_force_authn(force_authn, NULL, NULL, APR_HOOK_FIRST);

+#endif

   ap_register_provider(p,

                        AUTHZ_SVN__SUBREQ_BYPASS_PROV_GRP,

                        AUTHZ_SVN__SUBREQ_BYPASS_PROV_NAME,

--- subversion-1.7.14/subversion/tests/cmdline/davautocheck.sh.cve3184

+++ subversion-1.7.14/subversion/tests/cmdline/davautocheck.sh

@@ -248,8 +248,6 @@ LOAD_MOD_AUTHN_CORE="$(get_loadmodule_co

     || fail "Authn_Core module not found."

 LOAD_MOD_AUTHZ_CORE="$(get_loadmodule_config mod_authz_core)" \

     || fail "Authz_Core module not found."

-LOAD_MOD_AUTHZ_HOST="$(get_loadmodule_config mod_authz_host)" \

-    || fail "Authz_Host module not found."

 LOAD_MOD_UNIXD=$(get_loadmodule_config mod_unixd) \

     || fail "UnixD module not found"

 }

@@ -257,6 +255,10 @@ LOAD_MOD_AUTHN_FILE="$(get_loadmodule_co

     || fail "Authn_File module not found."

 LOAD_MOD_AUTHZ_USER="$(get_loadmodule_config mod_authz_user)" \

     || fail "Authz_User module not found."

+LOAD_MOD_AUTHZ_GROUPFILE="$(get_loadmodule_config mod_authz_groupfile)" \

+    || fail "Authz_GroupFile module not found."

+LOAD_MOD_AUTHZ_HOST="$(get_loadmodule_config mod_authz_host)" \

+    || fail "Authz_Host module not found."

 }

 if [ ${APACHE_MPM:+set} ]; then

     LOAD_MOD_MPM=$(get_loadmodule_config mod_mpm_$APACHE_MPM) \

@@ -272,6 +274,7 @@ HTTPD_ERROR_LOG="$HTTPD_ROOT/error_log"

 HTTPD_MIME_TYPES="$HTTPD_ROOT/mime.types"

 BASE_URL="http://localhost:$HTTPD_PORT"

 HTTPD_USERS="$HTTPD_ROOT/users"

+HTTPD_GROUPS="$HTTPD_ROOT/groups"

 mkdir "$HTTPD_ROOT" \

   || fail "couldn't create temporary directory '$HTTPD_ROOT'"

@@ -281,6 +284,14 @@ say "Using directory '$HTTPD_ROOT'..."

 say "Adding users for lock authentication"

 $HTPASSWD -bc $HTTPD_USERS jrandom   rayjandom

 $HTPASSWD -b  $HTTPD_USERS jconstant rayjandom

+$HTPASSWD -b  $HTTPD_USERS JRANDOM   rayjandom

+$HTPASSWD -b  $HTTPD_USERS JCONSTANT rayjandom

+ 

+say "Adding groups for mod_authz_svn tests"

+cat > "$HTTPD_GROUPS" <<__EOF__

+random: jrandom

+constant: jconstant

+__EOF__

 touch $HTTPD_MIME_TYPES

@@ -297,7 +308,9 @@ $LOAD_MOD_AUTHN_CORE

 $LOAD_MOD_AUTHN_FILE

 $LOAD_MOD_AUTHZ_CORE

 $LOAD_MOD_AUTHZ_USER

+$LOAD_MOD_AUTHZ_GROUPFILE

 $LOAD_MOD_AUTHZ_HOST

+$LOAD_MOD_ACCESS_COMPAT

 LoadModule          authz_svn_module "$MOD_AUTHZ_SVN"

 __EOF__

@@ -369,6 +382,151 @@ CustomLog           "$HTTPD_ROOT/ops" "%

   SVNAdvertiseV2Protocol ${ADVERTISE_V2_PROTOCOL}

   ${SVN_PATH_AUTHZ_LINE}

 </Location>

+<Location /authz-test-work/anon>

+  DAV               svn

+  SVNParentPath     "$ABS_BUILDDIR/subversion/tests/cmdline/svn-test-work/local_tmp"

+  AuthzSVNAccessFile "$ABS_BUILDDIR/subversion/tests/cmdline/svn-test-work/authz"

+  SVNAdvertiseV2Protocol ${ADVERTISE_V2_PROTOCOL}

+  SVNListParentPath On

+  # This may seem unnecessary but granting access to everyone here is necessary

+  # to exercise a bug with httpd 2.3.x+.  The "Require all granted" syntax is

+  # new to 2.3.x+ which we can detect with the mod_authz_core.c module

+  # signature.  Use the "Allow from all" syntax with older versions for symmetry.

+  <IfModule mod_authz_core.c>

+    Require all granted

+  </IfModule>

+  <IfModule !mod_authz_core.c>

+    Allow from all

+  </IfMOdule>

+  ${SVN_PATH_AUTHZ_LINE}

+</Location>

+<Location /authz-test-work/mixed>

+  DAV               svn

+  SVNParentPath     "$ABS_BUILDDIR/subversion/tests/cmdline/svn-test-work/local_tmp"

+  AuthzSVNAccessFile "$ABS_BUILDDIR/subversion/tests/cmdline/svn-test-work/authz"

+  SVNAdvertiseV2Protocol ${ADVERTISE_V2_PROTOCOL}

+  SVNListParentPath On

+  AuthType          Basic

+  AuthName          "Subversion Repository"

+  AuthUserFile      $HTTPD_USERS

+  Require           valid-user

+  Satisfy Any

+  ${SVN_PATH_AUTHZ_LINE}

+</Location>

+<Location /authz-test-work/mixed-noauthwhenanon>

+  DAV               svn

+  SVNParentPath     "$ABS_BUILDDIR/subversion/tests/cmdline/svn-test-work/local_tmp"

+  AuthzSVNAccessFile "$ABS_BUILDDIR/subversion/tests/cmdline/svn-test-work/authz"

+  SVNAdvertiseV2Protocol ${ADVERTISE_V2_PROTOCOL}

+  SVNListParentPath On

+  AuthType          Basic

+  AuthName          "Subversion Repository"

+  AuthUserFile      $HTTPD_USERS

+  Require           valid-user

+  AuthzSVNNoAuthWhenAnonymousAllowed On

+  SVNPathAuthz On

+</Location>

+<Location /authz-test-work/authn>

+  DAV               svn

+  SVNParentPath     "$ABS_BUILDDIR/subversion/tests/cmdline/svn-test-work/local_tmp"

+  AuthzSVNAccessFile "$ABS_BUILDDIR/subversion/tests/cmdline/svn-test-work/authz"

+  SVNAdvertiseV2Protocol ${ADVERTISE_V2_PROTOCOL}

+  SVNListParentPath On

+  AuthType          Basic

+  AuthName          "Subversion Repository"

+  AuthUserFile      $HTTPD_USERS

+  Require           valid-user

+  ${SVN_PATH_AUTHZ_LINE}

+</Location>

+<Location /authz-test-work/authn-anonoff>

+  DAV               svn

+  SVNParentPath     "$ABS_BUILDDIR/subversion/tests/cmdline/svn-test-work/local_tmp"

+  AuthzSVNAccessFile "$ABS_BUILDDIR/subversion/tests/cmdline/svn-test-work/authz"

+  SVNAdvertiseV2Protocol ${ADVERTISE_V2_PROTOCOL}

+  SVNListParentPath On

+  AuthType          Basic

+  AuthName          "Subversion Repository"

+  AuthUserFile      $HTTPD_USERS

+  Require           valid-user

+  AuthzSVNAnonymous Off

+  SVNPathAuthz On

+</Location>

+<Location /authz-test-work/authn-lcuser>

+  DAV               svn

+  SVNParentPath     "$ABS_BUILDDIR/subversion/tests/cmdline/svn-test-work/local_tmp"

+  AuthzSVNAccessFile "$ABS_BUILDDIR/subversion/tests/cmdline/svn-test-work/authz"

+  SVNAdvertiseV2Protocol ${ADVERTISE_V2_PROTOCOL}

+  SVNListParentPath On

+  AuthType          Basic

+  AuthName          "Subversion Repository"

+  AuthUserFile      $HTTPD_USERS

+  Require           valid-user

+  AuthzForceUsernameCase Lower

+  ${SVN_PATH_AUTHZ_LINE}

+</Location>

+<Location /authz-test-work/authn-lcuser>

+  DAV               svn

+  SVNParentPath     "$ABS_BUILDDIR/subversion/tests/cmdline/svn-test-work/local_tmp"

+  AuthzSVNAccessFile "$ABS_BUILDDIR/subversion/tests/cmdline/svn-test-work/authz"

+  SVNAdvertiseV2Protocol ${ADVERTISE_V2_PROTOCOL}

+  SVNListParentPath On

+  AuthType          Basic

+  AuthName          "Subversion Repository"

+  AuthUserFile      $HTTPD_USERS

+  Require           valid-user

+  AuthzForceUsernameCase Lower

+  ${SVN_PATH_AUTHZ_LINE}

+</Location>

+<Location /authz-test-work/authn-group>

+  DAV               svn

+  SVNParentPath     "$ABS_BUILDDIR/subversion/tests/cmdline/svn-test-work/local_tmp"

+  AuthzSVNAccessFile "$ABS_BUILDDIR/subversion/tests/cmdline/svn-test-work/authz"

+  SVNAdvertiseV2Protocol ${ADVERTISE_V2_PROTOCOL}

+  SVNListParentPath On

+  AuthType          Basic

+  AuthName          "Subversion Repository"

+  AuthUserFile      $HTTPD_USERS

+  AuthGroupFile     $HTTPD_GROUPS

+  Require           group random

+  AuthzSVNAuthoritative Off

+  SVNPathAuthz On

+</Location>

+<IfModule mod_authz_core.c>

+  <Location /authz-test-work/sallrany>

+    DAV               svn

+    SVNParentPath     "$ABS_BUILDDIR/subversion/tests/cmdline/svn-test-work/local_tmp"

+    AuthzSVNAccessFile "$ABS_BUILDDIR/subversion/tests/cmdline/svn-test-work/authz"

+    SVNAdvertiseV2Protocol ${ADVERTISE_V2_PROTOCOL}

+    SVNListParentPath On

+    AuthType          Basic

+    AuthName          "Subversion Repository"

+    AuthUserFile      $HTTPD_USERS

+    AuthzSendForbiddenOnFailure On

+    Satisfy All

+    <RequireAny>

+      Require valid-user

+      Require expr req('ALLOW') == '1'

+    </RequireAny>

+    ${SVN_PATH_AUTHZ_LINE}

+  </Location>

+  <Location /authz-test-work/sallrall>

+    DAV               svn

+    SVNParentPath     "$ABS_BUILDDIR/subversion/tests/cmdline/svn-test-work/local_tmp"

+    AuthzSVNAccessFile "$ABS_BUILDDIR/subversion/tests/cmdline/svn-test-work/authz"

+    SVNAdvertiseV2Protocol ${ADVERTISE_V2_PROTOCOL}

+    SVNListParentPath On

+    AuthType          Basic

+    AuthName          "Subversion Repository"

+    AuthUserFile      $HTTPD_USERS

+    AuthzSendForbiddenOnFailure On

+    Satisfy All

+    <RequireAll>

+      Require valid-user

+      Require expr req('ALLOW') == '1'

+    </RequireAll>

+    ${SVN_PATH_AUTHZ_LINE}

+  </Location>

+</IfModule>

 RedirectMatch permanent ^/svn-test-work/repositories/REDIRECT-PERM-(.*)\$ /svn-test-work/repositories/\$1

 RedirectMatch           ^/svn-test-work/repositories/REDIRECT-TEMP-(.*)\$ /svn-test-work/repositories/\$1

 __EOF__

--- subversion-1.7.14/subversion/tests/cmdline/mod_authz_svn_tests.py.cve3184

+++ subversion-1.7.14/subversion/tests/cmdline/mod_authz_svn_tests.py

@@ -0,0 +1,1073 @@

+#!/usr/bin/env python

+#

+#  mod_authz_svn_tests.py:  testing mod_authz_svn

+#

+#  Subversion is a tool for revision control.

+#  See http://subversion.apache.org for more information.

+#

+# ====================================================================

+#    Licensed to the Apache Software Foundation (ASF) under one

+#    or more contributor license agreements.  See the NOTICE file

+#    distributed with this work for additional information

+#    regarding copyright ownership.  The ASF licenses this file

+#    to you under the Apache License, Version 2.0 (the

+#    "License"); you may not use this file except in compliance

+#    with the License.  You may obtain a copy of the License at

+#

+#      http://www.apache.org/licenses/LICENSE-2.0

+#

+#    Unless required by applicable law or agreed to in writing,

+#    software distributed under the License is distributed on an

+#    "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY

+#    KIND, either express or implied.  See the License for the

+#    specific language governing permissions and limitations

+#    under the License.

+######################################################################

+

+# General modules

+import os, re, logging

+

+logger = logging.getLogger()

+

+# Our testing module

+import svntest

+

+# (abbreviation)

+Skip = svntest.testcase.Skip_deco

+SkipUnless = svntest.testcase.SkipUnless_deco

+XFail = svntest.testcase.XFail_deco

+Issues = svntest.testcase.Issues_deco

+Issue = svntest.testcase.Issue_deco

+Wimp = svntest.testcase.Wimp_deco

+

+ls_of_D_no_H = '''<html><head><title>repos - Revision 1: /A/D</title></head>

+<body>

+ 
repos - Revision 1: /A/D

+ 

+  
..

+  
G/

+  
gamma

+ 

+</body></html>'''

+

+ls_of_D_H = '''<html><head><title>repos - Revision 1: /A/D</title></head>

+<body>

+ 
repos - Revision 1: /A/D

+ 

+  
..

+  
G/

+  
H/

+  
gamma

+ 

+</body></html>'''

+

+ls_of_H = '''<html><head><title>repos - Revision 1: /A/D/H</title></head>

+<body>

+ 
repos - Revision 1: /A/D/H

+ 

+  
..

+  
chi

+  
omega

+  
psi

+ 

+</body></html>'''

+

+user1 = svntest.main.wc_author

+user1_upper = user1.upper()

+user1_pass = svntest.main.wc_passwd

+user1_badpass = 'XXX'

+assert user1_pass != user1_badpass, "Passwords can't match"

+user2 = svntest.main.wc_author2

+user2_upper = user2.upper()

+user2_pass = svntest.main.wc_passwd

+user2_badpass = 'XXX'

+assert user2_pass != user2_badpass, "Passwords can't match"

+

+def write_authz_file(sbox):

+    svntest.main.write_authz_file(sbox, {

+                                          '/':  '$anonymous = r\n' +

+                                                'jrandom = rw\n' +

+                                                'jconstant = rw',

+                                          '/A/D/H': '$anonymous =\n' +

+                                                    '$authenticated =\n' +

+                                                    'jrandom = rw'

+                                        })

+

+def write_authz_file_groups(sbox):

+    authz_name = sbox.authz_name()

+    svntest.main.write_authz_file(sbox,{

+                                         '/':  '* =',

+                                       })

+

+def verify_get(test_area_url, path, user, pw,

+               expected_status, expected_body, headers):

+  import httplib

+  from urlparse import urlparse

+  import base64

+

+  req_url = test_area_url + path

+

+  loc = urlparse(req_url)

+

+  if loc.scheme == 'http':

+    h = httplib.HTTPConnection(loc.hostname, loc.port)

+  else:

+    h = httplib.HTTPSConnection(loc.hostname, loc.port)

+

+  if headers is None:

+    headers = {}

+

+  if user and pw:

+      auth_info = user + ':' + pw

+      headers['Authorization'] = 'Basic ' + base64.b64encode(auth_info)

+  else:

+      auth_info = "anonymous"

+

+  h.request('GET', req_url, None, headers)

+

+  r = h.getresponse()

+

+  actual_status = r.status

+  if expected_status and expected_status != actual_status:

+

+      logger.warn("Expected status '" + str(expected_status) +

+                  "' but got '" + str(actual_status) +

+                  "' on url '" + req_url + "' (" +

+                  auth_info + ").")

+      raise svntest.Failure

+

+  if expected_body:

+      actual_body = r.read()

+      if expected_body != actual_body:

+        logger.warn("Expected body:")

+        logger.warn(expected_body)

+        logger.warn("But got:")

+        logger.warn(actual_body)

+        logger.warn("on url '" + req_url + "' (" + auth_info + ").")

+        raise svntest.Failure

+

+def verify_gets(test_area_url, tests):

+  for test in tests:

+      verify_get(test_area_url, test['path'], test.get('user'), test.get('pw'),

+                 test['status'], test.get('body'), test.get('headers'))

+

+

+######################################################################

+# Tests

+#

+#   Each test must return on success or raise on failure.

+

+

+#----------------------------------------------------------------------

+

+

+@SkipUnless(svntest.main.is_ra_type_dav)

+def anon(sbox):

+  "test anonymous access"

+  sbox.build(read_only = True, create_wc = False)

+

+  test_area_url = sbox.repo_url.replace('/svn-test-work/local_tmp/repos',

+                                        '/authz-test-work/anon')

+

+  write_authz_file(sbox)

+

+  anon_tests = ( 

+                 { 'path': '', 'status': 301 },

+                 { 'path': '/', 'status': 200 },

+                 { 'path': '/repos', 'status': 301 },

+                 { 'path': '/repos/', 'status': 200 },