diff --git a/contrib/serf/CHANGES b/contrib/serf/CHANGES
index 441eb1edf630..6d39b0c5c096 100644
--- a/contrib/serf/CHANGES
+++ b/contrib/serf/CHANGES
@@ -1,8 +1,11 @@
-Serf 1.3.6 [2014-06-09, from /tags/1.3.6, rxxxx]
+Serf 1.3.7 [2014-08-11, from /tags/1.3.7, r2411]
+ Handle NUL bytes in fields of an X.509 certificate. (r2393, r2399)
+
+Serf 1.3.6 [2014-06-09, from /tags/1.3.6, r2372]
Revert r2319 from serf 1.3.5: this change was making serf call handle_response
multiple times in case of an error response, leading to unexpected behavior.
-Serf 1.3.5 [2014-04-27, from /tags/1.3.5, rxxxx]
+Serf 1.3.5 [2014-04-27, from /tags/1.3.5, r2355]
Fix issue #125: no reverse lookup during Negotiate authentication for proxies.
Fix a crash caused by incorrect reuse of the ssltunnel CONNECT request (r2316)
Cancel request if response parsing failed + authn callback set (r2319)
diff --git a/contrib/serf/buckets/ssl_buckets.c b/contrib/serf/buckets/ssl_buckets.c
index 1a27d3f8e4fe..d2fe51d71501 100644
--- a/contrib/serf/buckets/ssl_buckets.c
+++ b/contrib/serf/buckets/ssl_buckets.c
@@ -202,6 +202,8 @@ struct serf_ssl_certificate_t {
};
static void disable_compression(serf_ssl_context_t *ssl_ctx);
+static char *
+ pstrdup_escape_nul_bytes(const char *buf, int len, apr_pool_t *pool);
#if SSL_VERBOSE
/* Log all ssl alerts that we receive from the server. */
@@ -427,6 +429,85 @@ static BIO_METHOD bio_file_method = {
#endif
};
+typedef enum san_copy_t {
+ EscapeNulAndCopy = 0,
+ ErrorOnNul = 1,
+} san_copy_t;
+
+
+static apr_status_t
+get_subject_alt_names(apr_array_header_t **san_arr, X509 *ssl_cert,
+ san_copy_t copy_action, apr_pool_t *pool)
+{
+ STACK_OF(GENERAL_NAME) *names;
+
+ /* assert: copy_action == ErrorOnNul || (san_arr && pool) */
+
+ if (san_arr) {
+ *san_arr = NULL;
+ }
+
+ /* Get subjectAltNames */
+ names = X509_get_ext_d2i(ssl_cert, NID_subject_alt_name, NULL, NULL);
+ if (names) {
+ int names_count = sk_GENERAL_NAME_num(names);
+ int name_idx;
+
+ if (san_arr)
+ *san_arr = apr_array_make(pool, names_count, sizeof(char*));
+ for (name_idx = 0; name_idx < names_count; name_idx++) {
+ char *p = NULL;
+ GENERAL_NAME *nm = sk_GENERAL_NAME_value(names, name_idx);
+
+ switch (nm->type) {
+ case GEN_DNS:
+ if (copy_action == ErrorOnNul &&
+ strlen(nm->d.ia5->data) != nm->d.ia5->length)
+ return SERF_ERROR_SSL_CERT_FAILED;
+ if (san_arr && *san_arr)
+ p = pstrdup_escape_nul_bytes((const char *)nm->d.ia5->data,
+ nm->d.ia5->length,
+ pool);
+ break;
+ default:
+ /* Don't know what to do - skip. */
+ break;
+ }
+
+ if (p) {
+ APR_ARRAY_PUSH(*san_arr, char*) = p;
+ }
+ }
+ sk_GENERAL_NAME_pop_free(names, GENERAL_NAME_free);
+ }
+
+ return APR_SUCCESS;
+}
+
+static apr_status_t validate_cert_hostname(X509 *server_cert, apr_pool_t *pool)
+{
+ char buf[1024];
+ int length;
+ apr_status_t ret;
+
+ ret = get_subject_alt_names(NULL, server_cert, ErrorOnNul, NULL);
+ if (ret) {
+ return ret;
+ } else {
+ /* Fail if the subject's CN field contains \0 characters. */
+ X509_NAME *subject = X509_get_subject_name(server_cert);
+ if (!subject)
+ return SERF_ERROR_SSL_CERT_FAILED;
+
+ length = X509_NAME_get_text_by_NID(subject, NID_commonName, buf, 1024);
+ if (length != -1)
+ if (strlen(buf) != length)
+ return SERF_ERROR_SSL_CERT_FAILED;
+ }
+
+ return APR_SUCCESS;
+}
+
static int
validate_server_certificate(int cert_valid, X509_STORE_CTX *store_ctx)
{
@@ -435,6 +516,7 @@ validate_server_certificate(int cert_valid, X509_STORE_CTX *store_ctx)
X509 *server_cert;
int err, depth;
int failures = 0;
+ apr_status_t status;
ssl = X509_STORE_CTX_get_ex_data(store_ctx,
SSL_get_ex_data_X509_STORE_CTX_idx());
@@ -475,6 +557,11 @@ validate_server_certificate(int cert_valid, X509_STORE_CTX *store_ctx)
}
}
+ /* Validate hostname */
+ status = validate_cert_hostname(server_cert, ctx->pool);
+ if (status)
+ failures |= SERF_SSL_CERT_UNKNOWN_FAILURE;
+
/* Check certificate expiry dates. */
if (X509_cmp_current_time(X509_get_notBefore(server_cert)) >= 0) {
failures |= SERF_SSL_CERT_NOTYETVALID;
@@ -485,7 +572,6 @@ validate_server_certificate(int cert_valid, X509_STORE_CTX *store_ctx)
if (ctx->server_cert_callback &&
(depth == 0 || failures)) {
- apr_status_t status;
serf_ssl_certificate_t *cert;
apr_pool_t *subpool;
@@ -512,7 +598,6 @@ validate_server_certificate(int cert_valid, X509_STORE_CTX *store_ctx)
if (ctx->server_cert_chain_callback
&& (depth == 0 || failures)) {
- apr_status_t status;
STACK_OF(X509) *chain;
const serf_ssl_certificate_t **certs;
int certs_len;
@@ -1461,7 +1546,50 @@ serf_ssl_context_t *serf_bucket_ssl_encrypt_context_get(
/* Functions to read a serf_ssl_certificate structure. */
-/* Creates a hash_table with keys (E, CN, OU, O, L, ST and C). */
+/* Takes a counted length string and escapes any NUL bytes so that
+ * it can be used as a C string. NUL bytes are escaped as 3 characters
+ * "\00" (that's a literal backslash).
+ * The returned string is allocated in POOL.
+ */
+static char *
+pstrdup_escape_nul_bytes(const char *buf, int len, apr_pool_t *pool)
+{
+ int i, nul_count = 0;
+ char *ret;
+
+ /* First determine if there are any nul bytes in the string. */
+ for (i = 0; i < len; i++) {
+ if (buf[i] == '\0')
+ nul_count++;
+ }
+
+ if (nul_count == 0) {
+ /* There aren't so easy case to just copy the string */
+ ret = apr_pstrdup(pool, buf);
+ } else {
+ /* There are so we have to replace nul bytes with escape codes
+ * Proper length is the length of the original string, plus
+ * 2 times the number of nulls (for two digit hex code for
+ * the value) + the trailing null. */
+ char *pos;
+ ret = pos = apr_palloc(pool, len + 2 * nul_count + 1);
+ for (i = 0; i < len; i++) {
+ if (buf[i] != '\0') {
+ *(pos++) = buf[i];
+ } else {
+ *(pos++) = '\\';
+ *(pos++) = '0';
+ *(pos++) = '0';
+ }
+ }
+ *pos = '\0';
+ }
+
+ return ret;
+}
+
+/* Creates a hash_table with keys (E, CN, OU, O, L, ST and C). Any NUL bytes in
+ these fields in the certificate will be escaped as \00. */
static apr_hash_t *
convert_X509_NAME_to_table(X509_NAME *org, apr_pool_t *pool)
{
@@ -1474,37 +1602,44 @@ convert_X509_NAME_to_table(X509_NAME *org, apr_pool_t *pool)
NID_commonName,
buf, 1024);
if (ret != -1)
- apr_hash_set(tgt, "CN", APR_HASH_KEY_STRING, apr_pstrdup(pool, buf));
+ apr_hash_set(tgt, "CN", APR_HASH_KEY_STRING,
+ pstrdup_escape_nul_bytes(buf, ret, pool));
ret = X509_NAME_get_text_by_NID(org,
NID_pkcs9_emailAddress,
buf, 1024);
if (ret != -1)
- apr_hash_set(tgt, "E", APR_HASH_KEY_STRING, apr_pstrdup(pool, buf));
+ apr_hash_set(tgt, "E", APR_HASH_KEY_STRING,
+ pstrdup_escape_nul_bytes(buf, ret, pool));
ret = X509_NAME_get_text_by_NID(org,
NID_organizationalUnitName,
buf, 1024);
if (ret != -1)
- apr_hash_set(tgt, "OU", APR_HASH_KEY_STRING, apr_pstrdup(pool, buf));
+ apr_hash_set(tgt, "OU", APR_HASH_KEY_STRING,
+ pstrdup_escape_nul_bytes(buf, ret, pool));
ret = X509_NAME_get_text_by_NID(org,
NID_organizationName,
buf, 1024);
if (ret != -1)
- apr_hash_set(tgt, "O", APR_HASH_KEY_STRING, apr_pstrdup(pool, buf));
+ apr_hash_set(tgt, "O", APR_HASH_KEY_STRING,
+ pstrdup_escape_nul_bytes(buf, ret, pool));
ret = X509_NAME_get_text_by_NID(org,
NID_localityName,
buf, 1024);
if (ret != -1)
- apr_hash_set(tgt, "L", APR_HASH_KEY_STRING, apr_pstrdup(pool, buf));
+ apr_hash_set(tgt, "L", APR_HASH_KEY_STRING,
+ pstrdup_escape_nul_bytes(buf, ret, pool));
ret = X509_NAME_get_text_by_NID(org,
NID_stateOrProvinceName,
buf, 1024);
if (ret != -1)
- apr_hash_set(tgt, "ST", APR_HASH_KEY_STRING, apr_pstrdup(pool, buf));
+ apr_hash_set(tgt, "ST", APR_HASH_KEY_STRING,
+ pstrdup_escape_nul_bytes(buf, ret, pool));
ret = X509_NAME_get_text_by_NID(org,
NID_countryName,
buf, 1024);
if (ret != -1)
- apr_hash_set(tgt, "C", APR_HASH_KEY_STRING, apr_pstrdup(pool, buf));
+ apr_hash_set(tgt, "C", APR_HASH_KEY_STRING,
+ pstrdup_escape_nul_bytes(buf, ret, pool));
return tgt;
}
@@ -1550,7 +1685,7 @@ apr_hash_t *serf_ssl_cert_certificate(
unsigned int md_size, i;
unsigned char md[EVP_MAX_MD_SIZE];
BIO *bio;
- STACK_OF(GENERAL_NAME) *names;
+ apr_array_header_t *san_arr;
/* sha1 fingerprint */
if (X509_digest(cert->ssl_cert, EVP_sha1(), md, &md_size)) {
@@ -1595,32 +1730,8 @@ apr_hash_t *serf_ssl_cert_certificate(
BIO_free(bio);
/* Get subjectAltNames */
- names = X509_get_ext_d2i(cert->ssl_cert, NID_subject_alt_name, NULL, NULL);
- if (names) {
- int names_count = sk_GENERAL_NAME_num(names);
-
- apr_array_header_t *san_arr = apr_array_make(pool, names_count,
- sizeof(char*));
+ if (!get_subject_alt_names(&san_arr, cert->ssl_cert, EscapeNulAndCopy, pool))
apr_hash_set(tgt, "subjectAltName", APR_HASH_KEY_STRING, san_arr);
- for (i = 0; i < names_count; i++) {
- char *p = NULL;
- GENERAL_NAME *nm = sk_GENERAL_NAME_value(names, i);
-
- switch (nm->type) {
- case GEN_DNS:
- p = apr_pstrmemdup(pool, (const char *)nm->d.ia5->data,
- nm->d.ia5->length);
- break;
- default:
- /* Don't know what to do - skip. */
- break;
- }
- if (p) {
- APR_ARRAY_PUSH(san_arr, char*) = p;
- }
- }
- sk_GENERAL_NAME_pop_free(names, GENERAL_NAME_free);
- }
return tgt;
}
diff --git a/contrib/serf/serf.h b/contrib/serf/serf.h
index d3ac2f3548de..f6f34a7c7ddd 100644
--- a/contrib/serf/serf.h
+++ b/contrib/serf/serf.h
@@ -1062,7 +1062,7 @@ void serf_debug__bucket_alloc_check(
/* Version info */
#define SERF_MAJOR_VERSION 1
#define SERF_MINOR_VERSION 3
-#define SERF_PATCH_VERSION 6
+#define SERF_PATCH_VERSION 7
/* Version number string */
#define SERF_VERSION_STRING APR_STRINGIFY(SERF_MAJOR_VERSION) "." \
diff --git a/contrib/subversion/CHANGES b/contrib/subversion/CHANGES
index f10874794683..616caec3fb9d 100644
--- a/contrib/subversion/CHANGES
+++ b/contrib/subversion/CHANGES
@@ -1,3 +1,45 @@
+Version 1.8.10
+(11 Aug 2014, from /branches/1.8.x)
+http://svn.apache.org/repos/asf/subversion/tags/1.8.10
+
+ User-visible changes:
+ - Client-side bugfixes:
+ * guard against md5 hash collisions when finding cached credentials
+ (r1550691, r1550772, r1600909)
+ * ra_serf: properly match wildcards in SSL certs. (r1615211, 1615219)
+ * ra_serf: ignore the CommonName in SSL certs where there are Subject Alt
+ Names (r1565531, r1566503, r1568349, r1568361)
+ * ra_serf: fix a URI escaping bug that prevented deleting locked paths
+ (r1594223, r1553501, r1553556, r1559197, issue #3674)
+ * rm: Display the proper URL when deleting a URL in the commit log editor
+ (r1591123)
+ * log: Fix another instance of broken pipe error (r1596866, issue #3014)
+ * copy: Properly handle props not present or excluded on cross wc copy
+ (r1589184, r1589188)
+ * copy: Fix copying parents of locally deleted nodes between wcs
+ (r1589460, r1589486)
+ * externals: Properly delete ancestor directories of externals when
+ removing the external by changing svn:externals. (r1600311, 1600315,
+ r1600323, r1600393)
+ * ra_serf: fix memory lifetime of some hash values (r1606009)
+
+ - Server-side bugfixes:
+ * fsfs: omit config file when creating pre-1.5 format repos (r1547454,
+ r1561703)
+
+ Developer-visible changes:
+ - General:
+ * fix improper linking when serf is in the same prefix as existing svn
+ libraries. (r1609004)
+ * use proper intermediate directory when building with VS 2003-2008
+ (r1595431)
+ * support generating VS 2013 and later project files.
+
+ - Bindings:
+ * ruby: removing warning about Ruby 1.9 support being new. (r1593992)
+ * python: fix notify_func callbacks (r1594794, r1594814, r1594834, r1595061)
+
+
Version 1.8.9
(07 May 2014, from /branches/1.8.x)
http://svn.apache.org/repos/asf/subversion/tags/1.8.9
@@ -687,6 +729,24 @@ http://svn.apache.org/repos/asf/subversion/tags/1.8.0
* fix some reference counting bugs in swig-py bindings (r1464899, r1466524)
+Version 1.7.18
+(11 Aug 2014, from /branches/1.7.x)
+http://svn.apache.org/repos/asf/subversion/tags/1.7.18
+
+ User-visible changes:
+ - Client-side bugfixes:
+ * guard against md5 hash collisions when finding cached credentials
+ (r1550691, r1550772, r1600909)
+ * ra_serf: properly match wildcards in SSL certs. (r1615211, 1615219)
+ * ra_serf: ignore the CommonName in SSL certs where there are Subject Alt
+ Names (r1565531, r1566503, r1568349)
+
+ Developer-visible changes:
+ - General:
+ * fix ocassional failure in checkout_tests.py test 12. (r1496127)
+ * disable building ZLib's assembly optimizations on Windows.
+
+
Version 1.7.17
(07 May 2014, from /branches/1.7.x)
http://svn.apache.org/repos/asf/subversion/tags/1.7.17
diff --git a/contrib/subversion/build-outputs.mk b/contrib/subversion/build-outputs.mk
index 6d73c30bc8d6..3126b3f7fdd6 100644
--- a/contrib/subversion/build-outputs.mk
+++ b/contrib/subversion/build-outputs.mk
@@ -2231,7 +2231,7 @@ subversion/libsvn_ra_serf/serf.lo: subversion/libsvn_ra_serf/serf.c subversion/i
subversion/libsvn_ra_serf/update.lo: subversion/libsvn_ra_serf/update.c subversion/include/private/svn_dav_protocol.h subversion/include/private/svn_debug.h subversion/include/private/svn_dep_compat.h subversion/include/private/svn_editor.h subversion/include/private/svn_fspath.h subversion/include/private/svn_ra_private.h subversion/include/private/svn_string_private.h subversion/include/private/svn_subr_private.h subversion/include/svn_auth.h subversion/include/svn_base64.h subversion/include/svn_checksum.h subversion/include/svn_config.h subversion/include/svn_dav.h subversion/include/svn_delta.h subversion/include/svn_dirent_uri.h subversion/include/svn_error.h subversion/include/svn_error_codes.h subversion/include/svn_hash.h subversion/include/svn_io.h subversion/include/svn_mergeinfo.h subversion/include/svn_path.h subversion/include/svn_pools.h subversion/include/svn_props.h subversion/include/svn_ra.h subversion/include/svn_string.h subversion/include/svn_types.h subversion/include/svn_version.h subversion/include/svn_xml.h subversion/libsvn_ra/ra_loader.h subversion/libsvn_ra_serf/blncache.h subversion/libsvn_ra_serf/ra_serf.h subversion/svn_private_config.h
-subversion/libsvn_ra_serf/util.lo: subversion/libsvn_ra_serf/util.c subversion/include/private/svn_auth_private.h subversion/include/private/svn_dav_protocol.h subversion/include/private/svn_debug.h subversion/include/private/svn_dep_compat.h subversion/include/private/svn_editor.h subversion/include/private/svn_fspath.h subversion/include/private/svn_ra_private.h subversion/include/private/svn_subr_private.h subversion/include/svn_auth.h subversion/include/svn_checksum.h subversion/include/svn_config.h subversion/include/svn_dav.h subversion/include/svn_delta.h subversion/include/svn_dirent_uri.h subversion/include/svn_error.h subversion/include/svn_error_codes.h subversion/include/svn_hash.h subversion/include/svn_io.h subversion/include/svn_mergeinfo.h subversion/include/svn_path.h subversion/include/svn_pools.h subversion/include/svn_props.h subversion/include/svn_ra.h subversion/include/svn_string.h subversion/include/svn_types.h subversion/include/svn_version.h subversion/include/svn_xml.h subversion/libsvn_ra/ra_loader.h subversion/libsvn_ra_serf/blncache.h subversion/libsvn_ra_serf/ra_serf.h subversion/svn_private_config.h
+subversion/libsvn_ra_serf/util.lo: subversion/libsvn_ra_serf/util.c subversion/include/private/svn_auth_private.h subversion/include/private/svn_cert.h subversion/include/private/svn_dav_protocol.h subversion/include/private/svn_debug.h subversion/include/private/svn_dep_compat.h subversion/include/private/svn_editor.h subversion/include/private/svn_fspath.h subversion/include/private/svn_ra_private.h subversion/include/private/svn_subr_private.h subversion/include/svn_auth.h subversion/include/svn_checksum.h subversion/include/svn_config.h subversion/include/svn_dav.h subversion/include/svn_delta.h subversion/include/svn_dirent_uri.h subversion/include/svn_error.h subversion/include/svn_error_codes.h subversion/include/svn_hash.h subversion/include/svn_io.h subversion/include/svn_mergeinfo.h subversion/include/svn_path.h subversion/include/svn_pools.h subversion/include/svn_props.h subversion/include/svn_ra.h subversion/include/svn_string.h subversion/include/svn_types.h subversion/include/svn_version.h subversion/include/svn_xml.h subversion/libsvn_ra/ra_loader.h subversion/libsvn_ra_serf/blncache.h subversion/libsvn_ra_serf/ra_serf.h subversion/svn_private_config.h
subversion/libsvn_ra_serf/util_error.lo: subversion/libsvn_ra_serf/util_error.c subversion/include/private/svn_dav_protocol.h subversion/include/private/svn_debug.h subversion/include/private/svn_editor.h subversion/include/private/svn_error_private.h subversion/include/private/svn_subr_private.h subversion/include/svn_auth.h subversion/include/svn_checksum.h subversion/include/svn_config.h subversion/include/svn_dav.h subversion/include/svn_delta.h subversion/include/svn_dirent_uri.h subversion/include/svn_error.h subversion/include/svn_error_codes.h subversion/include/svn_io.h subversion/include/svn_mergeinfo.h subversion/include/svn_pools.h subversion/include/svn_ra.h subversion/include/svn_string.h subversion/include/svn_types.h subversion/include/svn_utf.h subversion/include/svn_version.h subversion/libsvn_ra_serf/blncache.h subversion/libsvn_ra_serf/ra_serf.h
@@ -2329,7 +2329,7 @@ subversion/libsvn_subr/debug.lo: subversion/libsvn_subr/debug.c subversion/inclu
subversion/libsvn_subr/deprecated.lo: subversion/libsvn_subr/deprecated.c subversion/include/private/svn_debug.h subversion/include/private/svn_mergeinfo_private.h subversion/include/private/svn_opt_private.h subversion/include/private/svn_subr_private.h subversion/include/svn_auth.h subversion/include/svn_checksum.h subversion/include/svn_cmdline.h subversion/include/svn_config.h subversion/include/svn_dirent_uri.h subversion/include/svn_dso.h subversion/include/svn_error.h subversion/include/svn_error_codes.h subversion/include/svn_hash.h subversion/include/svn_io.h subversion/include/svn_mergeinfo.h subversion/include/svn_opt.h subversion/include/svn_path.h subversion/include/svn_pools.h subversion/include/svn_string.h subversion/include/svn_subst.h subversion/include/svn_types.h subversion/include/svn_utf.h subversion/include/svn_version.h subversion/include/svn_xml.h subversion/libsvn_subr/opt.h subversion/svn_private_config.h
-subversion/libsvn_subr/dirent_uri.lo: subversion/libsvn_subr/dirent_uri.c subversion/include/private/svn_debug.h subversion/include/private/svn_fspath.h subversion/include/svn_ctype.h subversion/include/svn_dirent_uri.h subversion/include/svn_error.h subversion/include/svn_error_codes.h subversion/include/svn_path.h subversion/include/svn_string.h subversion/include/svn_types.h subversion/libsvn_subr/dirent_uri.h subversion/svn_private_config.h
+subversion/libsvn_subr/dirent_uri.lo: subversion/libsvn_subr/dirent_uri.c subversion/include/private/svn_cert.h subversion/include/private/svn_debug.h subversion/include/private/svn_fspath.h subversion/include/svn_ctype.h subversion/include/svn_dirent_uri.h subversion/include/svn_error.h subversion/include/svn_error_codes.h subversion/include/svn_path.h subversion/include/svn_string.h subversion/include/svn_types.h subversion/libsvn_subr/dirent_uri.h subversion/svn_private_config.h
subversion/libsvn_subr/dso.lo: subversion/libsvn_subr/dso.c subversion/include/private/svn_debug.h subversion/include/private/svn_mutex.h subversion/include/svn_checksum.h subversion/include/svn_dso.h subversion/include/svn_error.h subversion/include/svn_error_codes.h subversion/include/svn_hash.h subversion/include/svn_io.h subversion/include/svn_pools.h subversion/include/svn_string.h subversion/include/svn_types.h subversion/svn_private_config.h
@@ -2781,7 +2781,7 @@ subversion/tests/libsvn_subr/config-test.lo: subversion/tests/libsvn_subr/config
subversion/tests/libsvn_subr/crypto-test.lo: subversion/tests/libsvn_subr/crypto-test.c subversion/include/private/svn_debug.h subversion/include/svn_checksum.h subversion/include/svn_delta.h subversion/include/svn_dirent_uri.h subversion/include/svn_error.h subversion/include/svn_error_codes.h subversion/include/svn_io.h subversion/include/svn_path.h subversion/include/svn_pools.h subversion/include/svn_string.h subversion/include/svn_types.h subversion/libsvn_subr/crypto.h subversion/tests/svn_test.h
-subversion/tests/libsvn_subr/dirent_uri-test.lo: subversion/tests/libsvn_subr/dirent_uri-test.c subversion/include/private/svn_debug.h subversion/include/private/svn_fspath.h subversion/include/svn_checksum.h subversion/include/svn_delta.h subversion/include/svn_dirent_uri.h subversion/include/svn_error.h subversion/include/svn_error_codes.h subversion/include/svn_io.h subversion/include/svn_path.h subversion/include/svn_pools.h subversion/include/svn_string.h subversion/include/svn_types.h subversion/tests/svn_test.h
+subversion/tests/libsvn_subr/dirent_uri-test.lo: subversion/tests/libsvn_subr/dirent_uri-test.c subversion/include/private/svn_cert.h subversion/include/private/svn_debug.h subversion/include/private/svn_fspath.h subversion/include/svn_checksum.h subversion/include/svn_delta.h subversion/include/svn_dirent_uri.h subversion/include/svn_error.h subversion/include/svn_error_codes.h subversion/include/svn_io.h subversion/include/svn_path.h subversion/include/svn_pools.h subversion/include/svn_string.h subversion/include/svn_types.h subversion/tests/svn_test.h
subversion/tests/libsvn_subr/error-code-test.lo: subversion/tests/libsvn_subr/error-code-test.c subversion/include/private/svn_debug.h subversion/include/svn_checksum.h subversion/include/svn_delta.h subversion/include/svn_dirent_uri.h subversion/include/svn_error.h subversion/include/svn_error_codes.h subversion/include/svn_io.h subversion/include/svn_path.h subversion/include/svn_string.h subversion/include/svn_types.h subversion/tests/svn_test.h
diff --git a/contrib/subversion/build.conf b/contrib/subversion/build.conf
index 74defd02b66d..356163a2d2d8 100644
--- a/contrib/subversion/build.conf
+++ b/contrib/subversion/build.conf
@@ -342,6 +342,7 @@ msvc-export =
private\svn_temp_serializer.h private\svn_io_private.h
private\svn_string_private.h private\svn_magic.h
private\svn_subr_private.h private\svn_mutex.h private\svn_named_atomic.h
+ private\svn_cert.h
# Working copy management lib
[libsvn_wc]
diff --git a/contrib/subversion/configure b/contrib/subversion/configure
index 3010dc7a878b..445251bdf75b 100755
--- a/contrib/subversion/configure
+++ b/contrib/subversion/configure
@@ -1,6 +1,6 @@
#! /bin/sh
# Guess values for system-dependent variables and create Makefiles.
-# Generated by GNU Autoconf 2.69 for subversion 1.8.9.
+# Generated by GNU Autoconf 2.69 for subversion 1.8.10.
#
# Report bugs to .
#
@@ -590,8 +590,8 @@ MAKEFLAGS=
# Identity of this package.
PACKAGE_NAME='subversion'
PACKAGE_TARNAME='subversion'
-PACKAGE_VERSION='1.8.9'
-PACKAGE_STRING='subversion 1.8.9'
+PACKAGE_VERSION='1.8.10'
+PACKAGE_STRING='subversion 1.8.10'
PACKAGE_BUGREPORT='http://subversion.apache.org/'
PACKAGE_URL=''
@@ -1457,7 +1457,7 @@ if test "$ac_init_help" = "long"; then
# Omit some internal or obsolete options to make the list less imposing.
# This message is too long to be a string in the A/UX 3.1 sh.
cat <<_ACEOF
-\`configure' configures subversion 1.8.9 to adapt to many kinds of systems.
+\`configure' configures subversion 1.8.10 to adapt to many kinds of systems.
Usage: $0 [OPTION]... [VAR=VALUE]...
@@ -1523,7 +1523,7 @@ fi
if test -n "$ac_init_help"; then
case $ac_init_help in
- short | recursive ) echo "Configuration of subversion 1.8.9:";;
+ short | recursive ) echo "Configuration of subversion 1.8.10:";;
esac
cat <<\_ACEOF
@@ -1737,7 +1737,7 @@ fi
test -n "$ac_init_help" && exit $ac_status
if $ac_init_version; then
cat <<\_ACEOF
-subversion configure 1.8.9
+subversion configure 1.8.10
generated by GNU Autoconf 2.69
Copyright (C) 2012 Free Software Foundation, Inc.
@@ -2281,7 +2281,7 @@ cat >config.log <<_ACEOF
This file contains any messages produced by compilers while
running configure, to aid debugging if configure makes a mistake.
-It was created by subversion $as_me 1.8.9, which was
+It was created by subversion $as_me 1.8.10, which was
generated by GNU Autoconf 2.69. Invocation command line was
$ $0 $@
@@ -2661,8 +2661,8 @@ ac_configure="$SHELL $ac_aux_dir/configure" # Please don't use this var.
-{ $as_echo "$as_me:${as_lineno-$LINENO}: Configuring Subversion 1.8.9" >&5
-$as_echo "$as_me: Configuring Subversion 1.8.9" >&6;}
+{ $as_echo "$as_me:${as_lineno-$LINENO}: Configuring Subversion 1.8.10" >&5
+$as_echo "$as_me: Configuring Subversion 1.8.10" >&6;}
abs_srcdir="`cd $srcdir && pwd`"
@@ -5285,7 +5285,26 @@ if test "x$ac_cv_header_serf_h" = xyes; then :
_ACEOF
save_ldflags="$LDFLAGS"
- LDFLAGS="$LDFLAGS -L$serf_prefix/lib"
+ LDFLAGS="$LDFLAGS `
+ input_flags="-L$serf_prefix/lib"
+ output_flags=""
+ filtered_dirs="/lib /lib64 /usr/lib /usr/lib64"
+ for flag in $input_flags; do
+ filter="no"
+ for dir in $filtered_dirs; do
+ if test "$flag" = "-L$dir" || test "$flag" = "-L$dir/"; then
+ filter="yes"
+ break
+ fi
+ done
+ if test "$filter" = "no"; then
+ output_flags="$output_flags $flag"
+ fi
+ done
+ if test -n "$output_flags"; then
+ printf "%s" "${output_flags# }"
+ fi
+`"
as_ac_Lib=`$as_echo "ac_cv_lib_$serf_major''_serf_context_create" | $as_tr_sh`
{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for serf_context_create in -l$serf_major" >&5
$as_echo_n "checking for serf_context_create in -l$serf_major... " >&6; }
@@ -5369,7 +5388,26 @@ done
SVN_SERF_LIBS="$serf_prefix/lib/lib$serf_major.la"
else
SVN_SERF_LIBS="-l$serf_major"
- LDFLAGS="$LDFLAGS -L$serf_prefix/lib"
+ LDFLAGS="$LDFLAGS `
+ input_flags="-L$serf_prefix/lib"
+ output_flags=""
+ filtered_dirs="/lib /lib64 /usr/lib /usr/lib64"
+ for flag in $input_flags; do
+ filter="no"
+ for dir in $filtered_dirs; do
+ if test "$flag" = "-L$dir" || test "$flag" = "-L$dir/"; then
+ filter="yes"
+ break
+ fi
+ done
+ if test "$filter" = "no"; then
+ output_flags="$output_flags $flag"
+ fi
+ done
+ if test -n "$output_flags"; then
+ printf "%s" "${output_flags# }"
+ fi
+`"
fi
fi
@@ -18002,7 +18040,26 @@ if test "${with_berkeley_db+set}" = set; then :
done
SVN_DB_INCLUDES="${SVN_DB_INCLUDES## }"
for l in `echo "$withval" | $SED -e "s/.*:[^:]*:\([^:]*\):.*/\1/"`; do
- LDFLAGS="$LDFLAGS -L$l"
+ LDFLAGS="$LDFLAGS `
+ input_flags="-L$l"
+ output_flags=""
+ filtered_dirs="/lib /lib64 /usr/lib /usr/lib64"
+ for flag in $input_flags; do
+ filter="no"
+ for dir in $filtered_dirs; do
+ if test "$flag" = "-L$dir" || test "$flag" = "-L$dir/"; then
+ filter="yes"
+ break
+ fi
+ done
+ if test "$filter" = "no"; then
+ output_flags="$output_flags $flag"
+ fi
+ done
+ if test -n "$output_flags"; then
+ printf "%s" "${output_flags# }"
+ fi
+`"
done
SVN_DB_LIBS=""
for l in `echo "$withval" | $SED -e "s/.*:\([^:]*\)/\1/"`; do
@@ -22728,12 +22785,6 @@ $as_echo "$svn_cv_ruby_teeny" >&6; }
$as_echo "$as_me: WARNING: The detected Ruby is between 1.9 and 1.9.3" >&2;}
{ $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: Only 1.8.x and 1.9.3 releases are supported at this time" >&5
$as_echo "$as_me: WARNING: Only 1.8.x and 1.9.3 releases are supported at this time" >&2;}
- elif test \( "$RUBY_MAJOR" -eq "1" -a "$RUBY_MINOR" -eq "9" -a "$RUBY_TEENY" -eq "3" \); then
- #Warn about 1.9.3 support
- { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: WARNING: The detected Ruby is 1.9.3" >&5
-$as_echo "$as_me: WARNING: WARNING: The detected Ruby is 1.9.3" >&2;}
- { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: WARNING: Only 1.8.x releases are fully supported, 1.9.3 support is new" >&5
-$as_echo "$as_me: WARNING: WARNING: Only 1.8.x releases are fully supported, 1.9.3 support is new" >&2;}
fi
else
{ $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
@@ -25746,7 +25797,7 @@ cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1
# report actual input values of CONFIG_FILES etc. instead of their
# values after options handling.
ac_log="
-This file was extended by subversion $as_me 1.8.9, which was
+This file was extended by subversion $as_me 1.8.10, which was
generated by GNU Autoconf 2.69. Invocation command line was
CONFIG_FILES = $CONFIG_FILES
@@ -25812,7 +25863,7 @@ _ACEOF
cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`"
ac_cs_version="\\
-subversion config.status 1.8.9
+subversion config.status 1.8.10
configured by $0, generated by GNU Autoconf 2.69,
with options \\"\$ac_cs_config\\"
diff --git a/contrib/subversion/configure.ac b/contrib/subversion/configure.ac
index f7d2264a9b89..955ba254f87c 100644
--- a/contrib/subversion/configure.ac
+++ b/contrib/subversion/configure.ac
@@ -1280,10 +1280,6 @@ if test "$RUBY" != "none"; then
RUBY="none"
AC_MSG_WARN([The detected Ruby is between 1.9 and 1.9.3])
AC_MSG_WARN([Only 1.8.x and 1.9.3 releases are supported at this time])
- elif test \( "$RUBY_MAJOR" -eq "1" -a "$RUBY_MINOR" -eq "9" -a "$RUBY_TEENY" -eq "3" \); then
- #Warn about 1.9.3 support
- AC_MSG_WARN([WARNING: The detected Ruby is 1.9.3])
- AC_MSG_WARN([WARNING: Only 1.8.x releases are fully supported, 1.9.3 support is new])
fi
else
AC_MSG_RESULT([no])
diff --git a/contrib/subversion/get-deps.sh b/contrib/subversion/get-deps.sh
index 0c0be8cc175d..912547c836ec 100755
--- a/contrib/subversion/get-deps.sh
+++ b/contrib/subversion/get-deps.sh
@@ -33,11 +33,11 @@
APR_VERSION=${APR_VERSION:-"1.4.6"}
APU_VERSION=${APU_VERSION:-"1.5.1"}
-SERF_VERSION=${SERF_VERSION:-"1.2.1"}
+SERF_VERSION=${SERF_VERSION:-"1.3.4"}
ZLIB_VERSION=${ZLIB_VERSION:-"1.2.8"}
SQLITE_VERSION=${SQLITE_VERSION:-"3.7.15.1"}
GTEST_VERSION=${GTEST_VERSION:-"1.6.0"}
-HTTPD_VERSION=${HTTPD_VERSION:-"2.4.6"}
+HTTPD_VERSION=${HTTPD_VERSION:-"2.4.10"}
APR_ICONV_VERSION=${APR_ICONV_VERSION:-"1.2.1"}
APR=apr-${APR_VERSION}
@@ -57,7 +57,7 @@ TEMPDIR=$BASEDIR/temp
HTTP_FETCH=
[ -z "$HTTP_FETCH" ] && type wget >/dev/null 2>&1 && HTTP_FETCH="wget -q -nc"
-[ -z "$HTTP_FETCH" ] && type curl >/dev/null 2>&1 && HTTP_FETCH="curl -sO"
+[ -z "$HTTP_FETCH" ] && type curl >/dev/null 2>&1 && HTTP_FETCH="curl -sOL"
[ -z "$HTTP_FETCH" ] && type fetch >/dev/null 2>&1 && HTTP_FETCH="fetch -q"
# Need this uncommented if any of the specific versions of the ASF tarballs to
@@ -89,7 +89,7 @@ get_serf() {
test -d $BASEDIR/serf && return
cd $TEMPDIR
- $HTTP_FETCH http://serf.googlecode.com/files/$SERF.tar.bz2
+ $HTTP_FETCH http://serf.googlecode.com/svn/src_releases/$SERF.tar.bz2
cd $BASEDIR
bzip2 -dc $TEMPDIR/$SERF.tar.bz2 | tar -xf -
@@ -101,7 +101,7 @@ get_zlib() {
test -d $BASEDIR/zlib && return
cd $TEMPDIR
- $HTTP_FETCH http://www.zlib.net/$ZLIB.tar.gz
+ $HTTP_FETCH http://sourceforge.net/projects/libpng/files/zlib/$ZLIB_VERSION/$ZLIB.tar.gz
cd $BASEDIR
gzip -dc $TEMPDIR/$ZLIB.tar.gz | tar -xf -
diff --git a/contrib/subversion/subversion/include/private/svn_cert.h b/contrib/subversion/subversion/include/private/svn_cert.h
new file mode 100644
index 000000000000..32e32a01f7d9
--- /dev/null
+++ b/contrib/subversion/subversion/include/private/svn_cert.h
@@ -0,0 +1,68 @@
+/**
+ * @copyright
+ * ====================================================================
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ * ====================================================================
+ * @endcopyright
+ *
+ * @file svn_cert.h
+ * @brief Implementation of certificate validation functions
+ */
+
+#ifndef SVN_CERT_H
+#define SVN_CERT_H
+
+#include
+
+#include "svn_types.h"
+#include "svn_string.h"
+
+#ifdef __cplusplus
+extern "C" {
+#endif /* __cplusplus */
+
+
+/* Return TRUE iff @a pattern matches @a hostname as defined
+ * by the matching rules of RFC 6125. In the context of RFC
+ * 6125 the pattern is the domain name portion of the presented
+ * identifier (which comes from the Common Name or a DNSName
+ * portion of the subjectAltName of an X.509 certificate) and
+ * the hostname is the source domain (i.e. the host portion
+ * of the URI the user entered).
+ *
+ * @note With respect to wildcards we only support matching
+ * wildcards in the left-most label and as the only character
+ * in the left-most label (i.e. we support RFC 6125 ยง 6.4.3
+ * Rule 1 and 2 but not the optional Rule 3). This may change
+ * in the future.
+ *
+ * @note Subversion does not at current support internationalized
+ * domain names. Both values are presumed to be in NR-LDH label
+ * or A-label form (see RFC 5890 for the definition).
+ *
+ * @since New in 1.9.
+ */
+svn_boolean_t
+svn_cert__match_dns_identity(svn_string_t *pattern, svn_string_t *hostname);
+
+
+#ifdef __cplusplus
+}
+#endif /* __cplusplus */
+
+#endif /* SVN_CERT_H */
diff --git a/contrib/subversion/subversion/include/svn_version.h b/contrib/subversion/subversion/include/svn_version.h
index ee97c88a2f05..8788fa56ea0a 100644
--- a/contrib/subversion/subversion/include/svn_version.h
+++ b/contrib/subversion/subversion/include/svn_version.h
@@ -72,7 +72,7 @@ extern "C" {
*
* @since New in 1.1.
*/
-#define SVN_VER_PATCH 9
+#define SVN_VER_PATCH 10
/** @deprecated Provided for backward compatibility with the 1.0 API. */
@@ -95,7 +95,7 @@ extern "C" {
*
* Always change this at the same time as SVN_VER_NUMTAG.
*/
-#define SVN_VER_TAG " (r1591380)"
+#define SVN_VER_TAG " (r1615264)"
/** Number tag: a string describing the version.
@@ -121,7 +121,7 @@ extern "C" {
* When rolling a tarball, we automatically replace it with what we
* guess to be the correct revision number.
*/
-#define SVN_VER_REVISION 1591380
+#define SVN_VER_REVISION 1615264
/* Version strings composed from the above definitions. */
diff --git a/contrib/subversion/subversion/libsvn_client/delete.c b/contrib/subversion/subversion/libsvn_client/delete.c
index 2f4ee664f335..803b70c1fb23 100644
--- a/contrib/subversion/subversion/libsvn_client/delete.c
+++ b/contrib/subversion/subversion/libsvn_client/delete.c
@@ -193,7 +193,7 @@ path_driver_cb_func(void **dir_baton,
static svn_error_t *
single_repos_delete(svn_ra_session_t *ra_session,
- const char *repos_root,
+ const char *base_uri,
const apr_array_header_t *relpaths,
const apr_hash_t *revprop_table,
svn_commit_callback2_t commit_callback,
@@ -221,7 +221,7 @@ single_repos_delete(svn_ra_session_t *ra_session,
const char *relpath = APR_ARRAY_IDX(relpaths, i, const char *);
item = svn_client_commit_item3_create(pool);
- item->url = svn_path_url_add_component2(repos_root, relpath, pool);
+ item->url = svn_path_url_add_component2(base_uri, relpath, pool);
item->state_flags = SVN_CLIENT_COMMIT_ITEM_DELETE;
APR_ARRAY_PUSH(commit_items, svn_client_commit_item3_t *) = item;
}
@@ -361,7 +361,6 @@ delete_urls_multi_repos(const apr_array_header_t *uris,
iterpool = svn_pool_create(pool);
for (hi = apr_hash_first(pool, deletables); hi; hi = apr_hash_next(hi))
{
- const char *repos_root = svn__apr_hash_index_key(hi);
struct repos_deletables_t *repos_deletables = svn__apr_hash_index_val(hi);
const char *base_uri;
apr_array_header_t *target_relpaths;
@@ -398,7 +397,7 @@ delete_urls_multi_repos(const apr_array_header_t *uris,
}
SVN_ERR(svn_ra_reparent(repos_deletables->ra_session, base_uri, pool));
- SVN_ERR(single_repos_delete(repos_deletables->ra_session, repos_root,
+ SVN_ERR(single_repos_delete(repos_deletables->ra_session, base_uri,
target_relpaths,
revprop_table, commit_callback,
commit_baton, ctx, iterpool));
diff --git a/contrib/subversion/subversion/libsvn_client/externals.c b/contrib/subversion/subversion/libsvn_client/externals.c
index e572dc7b3f00..8c08f405279e 100644
--- a/contrib/subversion/subversion/libsvn_client/externals.c
+++ b/contrib/subversion/subversion/libsvn_client/externals.c
@@ -1017,19 +1017,30 @@ svn_client__handle_externals(apr_hash_t *externals_new,
parent_abspath = svn_dirent_dirname(parent_abspath, iterpool);
SVN_ERR(svn_wc_read_kind2(&kind, ctx->wc_ctx, parent_abspath,
- TRUE, FALSE, iterpool));
+ FALSE /* show_deleted*/,
+ FALSE /* show_hidden */,
+ iterpool));
if (kind == svn_node_none)
{
svn_error_t *err;
err = svn_io_dir_remove_nonrecursive(parent_abspath, iterpool);
- if (err && APR_STATUS_IS_ENOTEMPTY(err->apr_err))
+ if (err)
{
- svn_error_clear(err);
- break;
+ if (APR_STATUS_IS_ENOTEMPTY(err->apr_err))
+ {
+ svn_error_clear(err);
+ break; /* No parents to delete */
+ }
+ else if (APR_STATUS_IS_ENOENT(err->apr_err)
+ || APR_STATUS_IS_ENOTDIR(err->apr_err))
+ {
+ svn_error_clear(err);
+ /* Fall through; parent dir might be unversioned */
+ }
+ else
+ return svn_error_trace(err);
}
- else
- SVN_ERR(err);
}
} while (strcmp(parent_abspath, defining_abspath) != 0);
}
diff --git a/contrib/subversion/subversion/libsvn_fs_fs/fs_fs.c b/contrib/subversion/subversion/libsvn_fs_fs/fs_fs.c
index 372455d2d735..89816a8bcb6f 100644
--- a/contrib/subversion/subversion/libsvn_fs_fs/fs_fs.c
+++ b/contrib/subversion/subversion/libsvn_fs_fs/fs_fs.c
@@ -8877,7 +8877,12 @@ svn_fs_fs__create(svn_fs_t *fs,
SVN_ERR(write_revision_zero(fs));
- SVN_ERR(write_config(fs, pool));
+ /* Create the fsfs.conf file if supported. Older server versions would
+ simply ignore the file but that might result in a different behavior
+ than with the later releases. Also, hotcopy would ignore, i.e. not
+ copy, a fsfs.conf with old formats. */
+ if (ffd->format >= SVN_FS_FS__MIN_CONFIG_FILE)
+ SVN_ERR(write_config(fs, pool));
SVN_ERR(read_config(ffd, fs->path, pool));
diff --git a/contrib/subversion/subversion/libsvn_fs_fs/rep-cache-db.h b/contrib/subversion/subversion/libsvn_fs_fs/rep-cache-db.h
index 5e1510784800..0c9b821fec4b 100644
--- a/contrib/subversion/subversion/libsvn_fs_fs/rep-cache-db.h
+++ b/contrib/subversion/subversion/libsvn_fs_fs/rep-cache-db.h
@@ -1,4 +1,4 @@
-/* This file is automatically generated from rep-cache-db.sql and .dist_sandbox/subversion-1.8.9/subversion/libsvn_fs_fs/token-map.h.
+/* This file is automatically generated from rep-cache-db.sql and .dist_sandbox/subversion-1.8.10/subversion/libsvn_fs_fs/token-map.h.
* Do not edit this file -- edit the source and rerun gen-make.py */
#define STMT_CREATE_SCHEMA 0
diff --git a/contrib/subversion/subversion/libsvn_ra_serf/commit.c b/contrib/subversion/subversion/libsvn_ra_serf/commit.c
index 4950ac48911a..1f9f1cc99f06 100644
--- a/contrib/subversion/subversion/libsvn_ra_serf/commit.c
+++ b/contrib/subversion/subversion/libsvn_ra_serf/commit.c
@@ -99,14 +99,11 @@ typedef struct proppatch_context_t {
} proppatch_context_t;
typedef struct delete_context_t {
- const char *path;
+ const char *relpath;
svn_revnum_t revision;
- const char *lock_token;
- apr_hash_t *lock_token_hash;
- svn_boolean_t keep_locks;
-
+ commit_context_t *commit;
} delete_context_t;
/* Represents a directory. */
@@ -149,7 +146,6 @@ typedef struct dir_context_t {
/* The checked-out working resource for this directory. May be NULL; if so
call checkout_dir() first. */
const char *working_url;
-
} dir_context_t;
/* Represents a file to be committed. */
@@ -1077,6 +1073,96 @@ setup_copy_file_headers(serf_bucket_t *headers,
return SVN_NO_ERROR;
}
+static svn_error_t *
+setup_if_header_recursive(svn_boolean_t *added,
+ serf_bucket_t *headers,
+ commit_context_t *commit_ctx,
+ const char *rq_relpath,
+ apr_pool_t *pool)
+{
+ svn_stringbuf_t *sb = NULL;
+ apr_hash_index_t *hi;
+ apr_pool_t *iterpool = NULL;
+
+ if (!commit_ctx->lock_tokens)
+ {
+ *added = FALSE;
+ return SVN_NO_ERROR;
+ }
+
+ /* We try to create a directory, so within the Subversion world that
+ would imply that there is nothing here, but mod_dav_svn still sees
+ locks on the old nodes here as in DAV it is perfectly legal to lock
+ something that is not there...
+
+ Let's make mod_dav, mod_dav_svn and the DAV RFC happy by providing
+ the locks we know of with the request */
+
+ for (hi = apr_hash_first(pool, commit_ctx->lock_tokens);
+ hi;
+ hi = apr_hash_next(hi))
+ {
+ const char *relpath = svn__apr_hash_index_key(hi);
+ apr_uri_t uri;
+
+ if (!svn_relpath_skip_ancestor(rq_relpath, relpath))
+ continue;
+ else if (svn_hash_gets(commit_ctx->deleted_entries, relpath))
+ {
+ /* When a path is already explicit deleted then its lock
+ will be removed by mod_dav. But mod_dav doesn't remove
+ locks on descendants */
+ continue;
+ }
+
+ if (!iterpool)
+ iterpool = svn_pool_create(pool);
+ else
+ svn_pool_clear(iterpool);
+
+ if (sb == NULL)
+ sb = svn_stringbuf_create("", pool);
+ else
+ svn_stringbuf_appendbyte(sb, ' ');
+
+ uri = commit_ctx->session->session_url;
+ uri.path = (char *)svn_path_url_add_component2(uri.path, relpath,
+ iterpool);
+
+ svn_stringbuf_appendbyte(sb, '<');
+ svn_stringbuf_appendcstr(sb, apr_uri_unparse(iterpool, &uri, 0));
+ svn_stringbuf_appendcstr(sb, "> (<");
+ svn_stringbuf_appendcstr(sb, svn__apr_hash_index_val(hi));
+ svn_stringbuf_appendcstr(sb, ">)");
+ }
+
+ if (iterpool)
+ svn_pool_destroy(iterpool);
+
+ if (sb)
+ {
+ serf_bucket_headers_set(headers, "If", sb->data);
+ *added = TRUE;
+ }
+ else
+ *added = FALSE;
+
+ return SVN_NO_ERROR;
+}
+
+static svn_error_t *
+setup_add_dir_common_headers(serf_bucket_t *headers,
+ void *baton,
+ apr_pool_t *pool)
+{
+ dir_context_t *dir = baton;
+ svn_boolean_t added;
+
+ return svn_error_trace(
+ setup_if_header_recursive(&added, headers, dir->commit, dir->relpath,
+ pool));
+}
+
static svn_error_t *
setup_copy_dir_headers(serf_bucket_t *headers,
void *baton,
@@ -1109,7 +1195,7 @@ setup_copy_dir_headers(serf_bucket_t *headers,
/* Implicitly checkout this dir now. */
dir->working_url = apr_pstrdup(dir->pool, uri.path);
- return SVN_NO_ERROR;
+ return svn_error_trace(setup_add_dir_common_headers(headers, baton, pool));
}
static svn_error_t *
@@ -1117,51 +1203,19 @@ setup_delete_headers(serf_bucket_t *headers,
void *baton,
apr_pool_t *pool)
{
- delete_context_t *ctx = baton;
+ delete_context_t *del = baton;
+ svn_boolean_t added;
serf_bucket_headers_set(headers, SVN_DAV_VERSION_NAME_HEADER,
- apr_ltoa(pool, ctx->revision));
+ apr_ltoa(pool, del->revision));
- if (ctx->lock_token_hash)
- {
- ctx->lock_token = svn_hash_gets(ctx->lock_token_hash, ctx->path);
+ SVN_ERR(setup_if_header_recursive(&added, headers, del->commit,
+ del->relpath, pool));
- if (ctx->lock_token)
- {
- const char *token_header;
+ if (added && del->commit->keep_locks)
+ serf_bucket_headers_setn(headers, SVN_DAV_OPTIONS_HEADER,
+ SVN_DAV_OPTION_KEEP_LOCKS);
- token_header = apr_pstrcat(pool, "<", ctx->path, "> (<",
- ctx->lock_token, ">)", (char *)NULL);
-
- serf_bucket_headers_set(headers, "If", token_header);
-
- if (ctx->keep_locks)
- serf_bucket_headers_setn(headers, SVN_DAV_OPTIONS_HEADER,
- SVN_DAV_OPTION_KEEP_LOCKS);
- }
- }
-
- return SVN_NO_ERROR;
-}
-
-/* Implements svn_ra_serf__request_body_delegate_t */
-static svn_error_t *
-create_delete_body(serf_bucket_t **body_bkt,
- void *baton,
- serf_bucket_alloc_t *alloc,
- apr_pool_t *pool)
-{
- delete_context_t *ctx = baton;
- serf_bucket_t *body;
-
- body = serf_bucket_aggregate_create(alloc);
-
- svn_ra_serf__add_xml_header_buckets(body, alloc);
-
- svn_ra_serf__merge_lock_token_list(ctx->lock_token_hash, ctx->path,
- body, alloc, pool);
-
- *body_bkt = body;
return SVN_NO_ERROR;
}
@@ -1541,7 +1595,6 @@ delete_entry(const char *path,
delete_context_t *delete_ctx;
svn_ra_serf__handler_t *handler;
const char *delete_target;
- svn_error_t *err;
if (USING_HTTPV2_COMMIT_SUPPORT(dir->commit))
{
@@ -1560,10 +1613,9 @@ delete_entry(const char *path,
/* DELETE our entry */
delete_ctx = apr_pcalloc(pool, sizeof(*delete_ctx));
- delete_ctx->path = apr_pstrdup(pool, path);
+ delete_ctx->relpath = apr_pstrdup(pool, path);
delete_ctx->revision = revision;
- delete_ctx->lock_token_hash = dir->commit->lock_tokens;
- delete_ctx->keep_locks = dir->commit->keep_locks;
+ delete_ctx->commit = dir->commit;
handler = apr_pcalloc(pool, sizeof(*handler));
handler->handler_pool = pool;
@@ -1579,30 +1631,7 @@ delete_entry(const char *path,
handler->method = "DELETE";
handler->path = delete_target;
- err = svn_ra_serf__context_run_one(handler, pool);
-
- if (err &&
- (err->apr_err == SVN_ERR_FS_BAD_LOCK_TOKEN ||
- err->apr_err == SVN_ERR_FS_NO_LOCK_TOKEN ||
- err->apr_err == SVN_ERR_FS_LOCK_OWNER_MISMATCH ||
- err->apr_err == SVN_ERR_FS_PATH_ALREADY_LOCKED))
- {
- svn_error_clear(err);
-
- /* An error has been registered on the connection. Reset the thing
- so that we can use it again. */
- serf_connection_reset(handler->conn->conn);
-
- handler->body_delegate = create_delete_body;
- handler->body_delegate_baton = delete_ctx;
- handler->body_type = "text/xml";
-
- SVN_ERR(svn_ra_serf__context_run_one(handler, pool));
- }
- else if (err)
- {
- return err;
- }
+ SVN_ERR(svn_ra_serf__context_run_one(handler, pool));
/* 204 No Content: item successfully deleted */
if (handler->sline.code != 204)
@@ -1673,6 +1702,9 @@ add_directory(const char *path,
{
handler->method = "MKCOL";
handler->path = mkcol_target;
+
+ handler->header_delegate = setup_add_dir_common_headers;
+ handler->header_delegate_baton = dir;
}
else
{
@@ -2341,7 +2373,8 @@ svn_ra_serf__get_commit_editor(svn_ra_session_t *ra_session,
ctx->callback = callback;
ctx->callback_baton = callback_baton;
- ctx->lock_tokens = lock_tokens;
+ ctx->lock_tokens = (lock_tokens && apr_hash_count(lock_tokens))
+ ? lock_tokens : NULL;
ctx->keep_locks = keep_locks;
ctx->deleted_entries = apr_hash_make(ctx->pool);
diff --git a/contrib/subversion/subversion/libsvn_ra_serf/options.c b/contrib/subversion/subversion/libsvn_ra_serf/options.c
index a3c2fb95c881..f61ee87142c6 100644
--- a/contrib/subversion/subversion/libsvn_ra_serf/options.c
+++ b/contrib/subversion/subversion/libsvn_ra_serf/options.c
@@ -302,7 +302,7 @@ capabilities_headers_iterator_callback(void *baton,
/* May contain multiple values, separated by commas. */
int i;
apr_array_header_t *vals = svn_cstring_split(val, ",", TRUE,
- opt_ctx->pool);
+ session->pool);
for (i = 0; i < vals->nelts; i++)
{
diff --git a/contrib/subversion/subversion/libsvn_ra_serf/util.c b/contrib/subversion/subversion/libsvn_ra_serf/util.c
index 60fa3c44af17..8f6c1bb5d4fa 100644
--- a/contrib/subversion/subversion/libsvn_ra_serf/util.c
+++ b/contrib/subversion/subversion/libsvn_ra_serf/util.c
@@ -28,7 +28,6 @@
#define APR_WANT_STRFUNC
#include
#include
-#include
#include
#include
@@ -49,6 +48,7 @@
#include "private/svn_fspath.h"
#include "private/svn_subr_private.h"
#include "private/svn_auth_private.h"
+#include "private/svn_cert.h"
#include "ra_serf.h"
@@ -274,7 +274,6 @@ ssl_server_cert(void *baton, int failures,
apr_hash_t *subject = NULL;
apr_hash_t *serf_cert = NULL;
void *creds;
- int found_matching_hostname = 0;
svn_failures = (ssl_convert_serf_failures(failures)
| conn->server_cert_failures);
@@ -286,26 +285,37 @@ ssl_server_cert(void *baton, int failures,
### This should really be handled by serf, which should pass an error
for this case, but that has backwards compatibility issues. */
apr_array_header_t *san;
+ svn_boolean_t found_san_entry = FALSE;
+ svn_boolean_t found_matching_hostname = FALSE;
+ svn_string_t *actual_hostname =
+ svn_string_create(conn->session->session_url.hostname, scratch_pool);
serf_cert = serf_ssl_cert_certificate(cert, scratch_pool);
san = svn_hash_gets(serf_cert, "subjectAltName");
/* Try to find matching server name via subjectAltName first... */
- if (san) {
+ if (san)
+ {
int i;
- for (i = 0; i < san->nelts; i++) {
+ found_san_entry = san->nelts > 0;
+ for (i = 0; i < san->nelts; i++)
+ {
const char *s = APR_ARRAY_IDX(san, i, const char*);
- if (apr_fnmatch(s, conn->session->session_url.hostname,
- APR_FNM_PERIOD | APR_FNM_CASE_BLIND) == APR_SUCCESS)
- {
- found_matching_hostname = 1;
- break;
- }
- }
- }
+ svn_string_t *cert_hostname = svn_string_create(s, scratch_pool);
- /* Match server certificate CN with the hostname of the server */
- if (!found_matching_hostname)
+ if (svn_cert__match_dns_identity(cert_hostname, actual_hostname))
+ {
+ found_matching_hostname = TRUE;
+ break;
+ }
+ }
+ }
+
+ /* Match server certificate CN with the hostname of the server iff
+ * we didn't find any subjectAltName fields and try to match them.
+ * Per RFC 2818 they are authoritative if present and CommonName
+ * should be ignored. */
+ if (!found_matching_hostname && !found_san_entry)
{
const char *hostname = NULL;
@@ -314,13 +324,20 @@ ssl_server_cert(void *baton, int failures,
if (subject)
hostname = svn_hash_gets(subject, "CN");
- if (!hostname
- || apr_fnmatch(hostname, conn->session->session_url.hostname,
- APR_FNM_PERIOD | APR_FNM_CASE_BLIND) != APR_SUCCESS)
- {
- svn_failures |= SVN_AUTH_SSL_CNMISMATCH;
- }
- }
+ if (hostname)
+ {
+ svn_string_t *cert_hostname = svn_string_create(hostname,
+ scratch_pool);
+
+ if (svn_cert__match_dns_identity(cert_hostname, actual_hostname))
+ {
+ found_matching_hostname = TRUE;
+ }
+ }
+ }
+
+ if (!found_matching_hostname)
+ svn_failures |= SVN_AUTH_SSL_CNMISMATCH;
}
if (!svn_failures)
diff --git a/contrib/subversion/subversion/libsvn_subr/config_auth.c b/contrib/subversion/subversion/libsvn_subr/config_auth.c
index 091e4e84abcd..ed26a58cb362 100644
--- a/contrib/subversion/subversion/libsvn_subr/config_auth.c
+++ b/contrib/subversion/subversion/libsvn_subr/config_auth.c
@@ -94,6 +94,7 @@ svn_config_read_auth_data(apr_hash_t **hash,
if (kind == svn_node_file)
{
svn_stream_t *stream;
+ svn_string_t *stored_realm;
SVN_ERR_W(svn_stream_open_readonly(&stream, auth_path, pool, pool),
_("Unable to open auth file for reading"));
@@ -104,6 +105,11 @@ svn_config_read_auth_data(apr_hash_t **hash,
apr_psprintf(pool, _("Error parsing '%s'"),
svn_dirent_local_style(auth_path, pool)));
+ stored_realm = svn_hash_gets(*hash, SVN_CONFIG_REALMSTRING_KEY);
+
+ if (!stored_realm || strcmp(stored_realm->data, realmstring) != 0)
+ *hash = NULL; /* Hash collision, or somebody tampering with storage */
+
SVN_ERR(svn_stream_close(stream));
}
diff --git a/contrib/subversion/subversion/libsvn_subr/dirent_uri.c b/contrib/subversion/subversion/libsvn_subr/dirent_uri.c
index 4801f8c8e114..6886a3e7550e 100644
--- a/contrib/subversion/subversion/libsvn_subr/dirent_uri.c
+++ b/contrib/subversion/subversion/libsvn_subr/dirent_uri.c
@@ -38,6 +38,7 @@
#include "dirent_uri.h"
#include "private/svn_fspath.h"
+#include "private/svn_cert.h"
/* The canonical empty path. Can this be changed? Well, change the empty
test below and the path library will work, not so sure about the fs/wc
@@ -2597,3 +2598,81 @@ svn_urlpath__canonicalize(const char *uri,
}
return uri;
}
+
+
+/* -------------- The cert API (see private/svn_cert.h) ------------- */
+
+svn_boolean_t
+svn_cert__match_dns_identity(svn_string_t *pattern, svn_string_t *hostname)
+{
+ apr_size_t pattern_pos = 0, hostname_pos = 0;
+
+ /* support leading wildcards that composed of the only character in the
+ * left-most label. */
+ if (pattern->len >= 2 &&
+ pattern->data[pattern_pos] == '*' &&
+ pattern->data[pattern_pos + 1] == '.')
+ {
+ while (hostname_pos < hostname->len &&
+ hostname->data[hostname_pos] != '.')
+ {
+ hostname_pos++;
+ }
+ /* Assume that the wildcard must match something. Rule 2 says
+ * that *.example.com should not match example.com. If the wildcard
+ * ends up not matching anything then it matches .example.com which
+ * seems to be essentially the same as just example.com */
+ if (hostname_pos == 0)
+ return FALSE;
+
+ pattern_pos++;
+ }
+
+ while (pattern_pos < pattern->len && hostname_pos < hostname->len)
+ {
+ char pattern_c = pattern->data[pattern_pos];
+ char hostname_c = hostname->data[hostname_pos];
+
+ /* fold case as described in RFC 4343.
+ * Note: We actually convert to lowercase, since our URI
+ * canonicalization code converts to lowercase and generally
+ * most certs are issued with lowercase DNS names, meaning
+ * this avoids the fold operation in most cases. The RFC
+ * suggests the opposite transformation, but doesn't require
+ * any specific implementation in any case. It is critical
+ * that this folding be locale independent so you can't use
+ * tolower(). */
+ pattern_c = canonicalize_to_lower(pattern_c);
+ hostname_c = canonicalize_to_lower(hostname_c);
+
+ if (pattern_c != hostname_c)
+ {
+ /* doesn't match */
+ return FALSE;
+ }
+ else
+ {
+ /* characters match so skip both */
+ pattern_pos++;
+ hostname_pos++;
+ }
+ }
+
+ /* ignore a trailing period on the hostname since this has no effect on the
+ * security of the matching. See the following for the long explanation as
+ * to why:
+ * https://bugzilla.mozilla.org/show_bug.cgi?id=134402#c28
+ */
+ if (pattern_pos == pattern->len &&
+ hostname_pos == hostname->len - 1 &&
+ hostname->data[hostname_pos] == '.')
+ hostname_pos++;
+
+ if (pattern_pos != pattern->len || hostname_pos != hostname->len)
+ {
+ /* end didn't match */
+ return FALSE;
+ }
+
+ return TRUE;
+}
diff --git a/contrib/subversion/subversion/libsvn_subr/internal_statements.h b/contrib/subversion/subversion/libsvn_subr/internal_statements.h
index 4fa938932ecc..58616f4c450f 100644
--- a/contrib/subversion/subversion/libsvn_subr/internal_statements.h
+++ b/contrib/subversion/subversion/libsvn_subr/internal_statements.h
@@ -1,4 +1,4 @@
-/* This file is automatically generated from internal_statements.sql and .dist_sandbox/subversion-1.8.9/subversion/libsvn_subr/token-map.h.
+/* This file is automatically generated from internal_statements.sql and .dist_sandbox/subversion-1.8.10/subversion/libsvn_subr/token-map.h.
* Do not edit this file -- edit the source and rerun gen-make.py */
#define STMT_INTERNAL_SAVEPOINT_SVN 0
diff --git a/contrib/subversion/subversion/libsvn_subr/opt.c b/contrib/subversion/subversion/libsvn_subr/opt.c
index e499089c4170..d91a2ef379f9 100644
--- a/contrib/subversion/subversion/libsvn_subr/opt.c
+++ b/contrib/subversion/subversion/libsvn_subr/opt.c
@@ -417,7 +417,9 @@ svn_opt_subcommand_help3(const char *subcommand,
_("\"%s\": unknown command.\n\n"), subcommand);
if (err) {
- svn_handle_error2(err, stderr, FALSE, "svn: ");
+ /* Issue #3014: Don't print anything on broken pipes. */
+ if (err->apr_err != SVN_ERR_IO_PIPE_WRITE_ERROR)
+ svn_handle_error2(err, stderr, FALSE, "svn: ");
svn_error_clear(err);
}
}
diff --git a/contrib/subversion/subversion/libsvn_wc/wc-checks.h b/contrib/subversion/subversion/libsvn_wc/wc-checks.h
index 9fd40bd9fad9..43a006645426 100644
--- a/contrib/subversion/subversion/libsvn_wc/wc-checks.h
+++ b/contrib/subversion/subversion/libsvn_wc/wc-checks.h
@@ -1,4 +1,4 @@
-/* This file is automatically generated from wc-checks.sql and .dist_sandbox/subversion-1.8.9/subversion/libsvn_wc/token-map.h.
+/* This file is automatically generated from wc-checks.sql and .dist_sandbox/subversion-1.8.10/subversion/libsvn_wc/token-map.h.
* Do not edit this file -- edit the source and rerun gen-make.py */
#define STMT_VERIFICATION_TRIGGERS 0
diff --git a/contrib/subversion/subversion/libsvn_wc/wc-metadata.h b/contrib/subversion/subversion/libsvn_wc/wc-metadata.h
index e39db8ab6ba1..b24f24ff3fbc 100644
--- a/contrib/subversion/subversion/libsvn_wc/wc-metadata.h
+++ b/contrib/subversion/subversion/libsvn_wc/wc-metadata.h
@@ -1,4 +1,4 @@
-/* This file is automatically generated from wc-metadata.sql and .dist_sandbox/subversion-1.8.9/subversion/libsvn_wc/token-map.h.
+/* This file is automatically generated from wc-metadata.sql and .dist_sandbox/subversion-1.8.10/subversion/libsvn_wc/token-map.h.
* Do not edit this file -- edit the source and rerun gen-make.py */
#define STMT_CREATE_SCHEMA 0
diff --git a/contrib/subversion/subversion/libsvn_wc/wc-queries.h b/contrib/subversion/subversion/libsvn_wc/wc-queries.h
index 3fc6b2fe0f5f..2508bcf256e2 100644
--- a/contrib/subversion/subversion/libsvn_wc/wc-queries.h
+++ b/contrib/subversion/subversion/libsvn_wc/wc-queries.h
@@ -1,4 +1,4 @@
-/* This file is automatically generated from wc-queries.sql and .dist_sandbox/subversion-1.8.9/subversion/libsvn_wc/token-map.h.
+/* This file is automatically generated from wc-queries.sql and .dist_sandbox/subversion-1.8.10/subversion/libsvn_wc/token-map.h.
* Do not edit this file -- edit the source and rerun gen-make.py */
#define STMT_SELECT_NODE_INFO 0
diff --git a/contrib/subversion/subversion/libsvn_wc/wc_db.c b/contrib/subversion/subversion/libsvn_wc/wc_db.c
index 81056c9a4a6a..ed59d4cf6456 100644
--- a/contrib/subversion/subversion/libsvn_wc/wc_db.c
+++ b/contrib/subversion/subversion/libsvn_wc/wc_db.c
@@ -3815,8 +3815,15 @@ cross_db_copy(svn_wc__db_wcroot_t *src_wcroot,
NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL,
src_wcroot, src_relpath, scratch_pool, scratch_pool));
- SVN_ERR(db_read_pristine_props(&props, src_wcroot, src_relpath, FALSE,
- scratch_pool, scratch_pool));
+ if (dst_status != svn_wc__db_status_not_present
+ && dst_status != svn_wc__db_status_excluded
+ && dst_status != svn_wc__db_status_server_excluded)
+ {
+ SVN_ERR(db_read_pristine_props(&props, src_wcroot, src_relpath, FALSE,
+ scratch_pool, scratch_pool));
+ }
+ else
+ props = NULL;
blank_iwb(&iwb);
iwb.presence = dst_status;
@@ -5131,6 +5138,17 @@ db_op_copy_shadowed_layer(svn_wc__db_wcroot_t *src_wcroot,
scratch_pool));
}
+ if (dst_presence == svn_wc__db_status_not_present)
+ {
+ /* Don't create descendants of a not present node! */
+
+ /* This code is currently still triggered by copying deleted nodes
+ between separate working copies. See ### comment above. */
+
+ svn_pool_destroy(iterpool);
+ return SVN_NO_ERROR;
+ }
+
SVN_ERR(gather_repo_children(&children, src_wcroot, src_relpath,
src_op_depth, scratch_pool, iterpool));
diff --git a/usr.bin/svn/svn_private_config.h b/usr.bin/svn/svn_private_config.h
index 9e0ac1542f06..3583d6e79555 100644
--- a/usr.bin/svn/svn_private_config.h
+++ b/usr.bin/svn/svn_private_config.h
@@ -105,7 +105,7 @@
#define PACKAGE_NAME "subversion"
/* Define to the full name and version of this package. */
-#define PACKAGE_STRING "subversion 1.8.9"
+#define PACKAGE_STRING "subversion 1.8.10"
/* Define to the one symbol short name of this package. */
#define PACKAGE_TARNAME "subversion"
@@ -114,7 +114,7 @@
#define PACKAGE_URL ""
/* Define to the version of this package. */
-#define PACKAGE_VERSION "1.8.9"
+#define PACKAGE_VERSION "1.8.10"
/* Define to 1 if you have the ANSI C header files. */
#define STDC_HEADERS 1