diff --git a/contrib/serf/CHANGES b/contrib/serf/CHANGES index 441eb1edf630..6d39b0c5c096 100644 --- a/contrib/serf/CHANGES +++ b/contrib/serf/CHANGES @@ -1,8 +1,11 @@ -Serf 1.3.6 [2014-06-09, from /tags/1.3.6, rxxxx] +Serf 1.3.7 [2014-08-11, from /tags/1.3.7, r2411] + Handle NUL bytes in fields of an X.509 certificate. (r2393, r2399) + +Serf 1.3.6 [2014-06-09, from /tags/1.3.6, r2372] Revert r2319 from serf 1.3.5: this change was making serf call handle_response multiple times in case of an error response, leading to unexpected behavior. -Serf 1.3.5 [2014-04-27, from /tags/1.3.5, rxxxx] +Serf 1.3.5 [2014-04-27, from /tags/1.3.5, r2355] Fix issue #125: no reverse lookup during Negotiate authentication for proxies. Fix a crash caused by incorrect reuse of the ssltunnel CONNECT request (r2316) Cancel request if response parsing failed + authn callback set (r2319) diff --git a/contrib/serf/buckets/ssl_buckets.c b/contrib/serf/buckets/ssl_buckets.c index 1a27d3f8e4fe..d2fe51d71501 100644 --- a/contrib/serf/buckets/ssl_buckets.c +++ b/contrib/serf/buckets/ssl_buckets.c @@ -202,6 +202,8 @@ struct serf_ssl_certificate_t { }; static void disable_compression(serf_ssl_context_t *ssl_ctx); +static char * + pstrdup_escape_nul_bytes(const char *buf, int len, apr_pool_t *pool); #if SSL_VERBOSE /* Log all ssl alerts that we receive from the server. */ @@ -427,6 +429,85 @@ static BIO_METHOD bio_file_method = { #endif }; +typedef enum san_copy_t { + EscapeNulAndCopy = 0, + ErrorOnNul = 1, +} san_copy_t; + + +static apr_status_t +get_subject_alt_names(apr_array_header_t **san_arr, X509 *ssl_cert, + san_copy_t copy_action, apr_pool_t *pool) +{ + STACK_OF(GENERAL_NAME) *names; + + /* assert: copy_action == ErrorOnNul || (san_arr && pool) */ + + if (san_arr) { + *san_arr = NULL; + } + + /* Get subjectAltNames */ + names = X509_get_ext_d2i(ssl_cert, NID_subject_alt_name, NULL, NULL); + if (names) { + int names_count = sk_GENERAL_NAME_num(names); + int name_idx; + + if (san_arr) + *san_arr = apr_array_make(pool, names_count, sizeof(char*)); + for (name_idx = 0; name_idx < names_count; name_idx++) { + char *p = NULL; + GENERAL_NAME *nm = sk_GENERAL_NAME_value(names, name_idx); + + switch (nm->type) { + case GEN_DNS: + if (copy_action == ErrorOnNul && + strlen(nm->d.ia5->data) != nm->d.ia5->length) + return SERF_ERROR_SSL_CERT_FAILED; + if (san_arr && *san_arr) + p = pstrdup_escape_nul_bytes((const char *)nm->d.ia5->data, + nm->d.ia5->length, + pool); + break; + default: + /* Don't know what to do - skip. */ + break; + } + + if (p) { + APR_ARRAY_PUSH(*san_arr, char*) = p; + } + } + sk_GENERAL_NAME_pop_free(names, GENERAL_NAME_free); + } + + return APR_SUCCESS; +} + +static apr_status_t validate_cert_hostname(X509 *server_cert, apr_pool_t *pool) +{ + char buf[1024]; + int length; + apr_status_t ret; + + ret = get_subject_alt_names(NULL, server_cert, ErrorOnNul, NULL); + if (ret) { + return ret; + } else { + /* Fail if the subject's CN field contains \0 characters. */ + X509_NAME *subject = X509_get_subject_name(server_cert); + if (!subject) + return SERF_ERROR_SSL_CERT_FAILED; + + length = X509_NAME_get_text_by_NID(subject, NID_commonName, buf, 1024); + if (length != -1) + if (strlen(buf) != length) + return SERF_ERROR_SSL_CERT_FAILED; + } + + return APR_SUCCESS; +} + static int validate_server_certificate(int cert_valid, X509_STORE_CTX *store_ctx) { @@ -435,6 +516,7 @@ validate_server_certificate(int cert_valid, X509_STORE_CTX *store_ctx) X509 *server_cert; int err, depth; int failures = 0; + apr_status_t status; ssl = X509_STORE_CTX_get_ex_data(store_ctx, SSL_get_ex_data_X509_STORE_CTX_idx()); @@ -475,6 +557,11 @@ validate_server_certificate(int cert_valid, X509_STORE_CTX *store_ctx) } } + /* Validate hostname */ + status = validate_cert_hostname(server_cert, ctx->pool); + if (status) + failures |= SERF_SSL_CERT_UNKNOWN_FAILURE; + /* Check certificate expiry dates. */ if (X509_cmp_current_time(X509_get_notBefore(server_cert)) >= 0) { failures |= SERF_SSL_CERT_NOTYETVALID; @@ -485,7 +572,6 @@ validate_server_certificate(int cert_valid, X509_STORE_CTX *store_ctx) if (ctx->server_cert_callback && (depth == 0 || failures)) { - apr_status_t status; serf_ssl_certificate_t *cert; apr_pool_t *subpool; @@ -512,7 +598,6 @@ validate_server_certificate(int cert_valid, X509_STORE_CTX *store_ctx) if (ctx->server_cert_chain_callback && (depth == 0 || failures)) { - apr_status_t status; STACK_OF(X509) *chain; const serf_ssl_certificate_t **certs; int certs_len; @@ -1461,7 +1546,50 @@ serf_ssl_context_t *serf_bucket_ssl_encrypt_context_get( /* Functions to read a serf_ssl_certificate structure. */ -/* Creates a hash_table with keys (E, CN, OU, O, L, ST and C). */ +/* Takes a counted length string and escapes any NUL bytes so that + * it can be used as a C string. NUL bytes are escaped as 3 characters + * "\00" (that's a literal backslash). + * The returned string is allocated in POOL. + */ +static char * +pstrdup_escape_nul_bytes(const char *buf, int len, apr_pool_t *pool) +{ + int i, nul_count = 0; + char *ret; + + /* First determine if there are any nul bytes in the string. */ + for (i = 0; i < len; i++) { + if (buf[i] == '\0') + nul_count++; + } + + if (nul_count == 0) { + /* There aren't so easy case to just copy the string */ + ret = apr_pstrdup(pool, buf); + } else { + /* There are so we have to replace nul bytes with escape codes + * Proper length is the length of the original string, plus + * 2 times the number of nulls (for two digit hex code for + * the value) + the trailing null. */ + char *pos; + ret = pos = apr_palloc(pool, len + 2 * nul_count + 1); + for (i = 0; i < len; i++) { + if (buf[i] != '\0') { + *(pos++) = buf[i]; + } else { + *(pos++) = '\\'; + *(pos++) = '0'; + *(pos++) = '0'; + } + } + *pos = '\0'; + } + + return ret; +} + +/* Creates a hash_table with keys (E, CN, OU, O, L, ST and C). Any NUL bytes in + these fields in the certificate will be escaped as \00. */ static apr_hash_t * convert_X509_NAME_to_table(X509_NAME *org, apr_pool_t *pool) { @@ -1474,37 +1602,44 @@ convert_X509_NAME_to_table(X509_NAME *org, apr_pool_t *pool) NID_commonName, buf, 1024); if (ret != -1) - apr_hash_set(tgt, "CN", APR_HASH_KEY_STRING, apr_pstrdup(pool, buf)); + apr_hash_set(tgt, "CN", APR_HASH_KEY_STRING, + pstrdup_escape_nul_bytes(buf, ret, pool)); ret = X509_NAME_get_text_by_NID(org, NID_pkcs9_emailAddress, buf, 1024); if (ret != -1) - apr_hash_set(tgt, "E", APR_HASH_KEY_STRING, apr_pstrdup(pool, buf)); + apr_hash_set(tgt, "E", APR_HASH_KEY_STRING, + pstrdup_escape_nul_bytes(buf, ret, pool)); ret = X509_NAME_get_text_by_NID(org, NID_organizationalUnitName, buf, 1024); if (ret != -1) - apr_hash_set(tgt, "OU", APR_HASH_KEY_STRING, apr_pstrdup(pool, buf)); + apr_hash_set(tgt, "OU", APR_HASH_KEY_STRING, + pstrdup_escape_nul_bytes(buf, ret, pool)); ret = X509_NAME_get_text_by_NID(org, NID_organizationName, buf, 1024); if (ret != -1) - apr_hash_set(tgt, "O", APR_HASH_KEY_STRING, apr_pstrdup(pool, buf)); + apr_hash_set(tgt, "O", APR_HASH_KEY_STRING, + pstrdup_escape_nul_bytes(buf, ret, pool)); ret = X509_NAME_get_text_by_NID(org, NID_localityName, buf, 1024); if (ret != -1) - apr_hash_set(tgt, "L", APR_HASH_KEY_STRING, apr_pstrdup(pool, buf)); + apr_hash_set(tgt, "L", APR_HASH_KEY_STRING, + pstrdup_escape_nul_bytes(buf, ret, pool)); ret = X509_NAME_get_text_by_NID(org, NID_stateOrProvinceName, buf, 1024); if (ret != -1) - apr_hash_set(tgt, "ST", APR_HASH_KEY_STRING, apr_pstrdup(pool, buf)); + apr_hash_set(tgt, "ST", APR_HASH_KEY_STRING, + pstrdup_escape_nul_bytes(buf, ret, pool)); ret = X509_NAME_get_text_by_NID(org, NID_countryName, buf, 1024); if (ret != -1) - apr_hash_set(tgt, "C", APR_HASH_KEY_STRING, apr_pstrdup(pool, buf)); + apr_hash_set(tgt, "C", APR_HASH_KEY_STRING, + pstrdup_escape_nul_bytes(buf, ret, pool)); return tgt; } @@ -1550,7 +1685,7 @@ apr_hash_t *serf_ssl_cert_certificate( unsigned int md_size, i; unsigned char md[EVP_MAX_MD_SIZE]; BIO *bio; - STACK_OF(GENERAL_NAME) *names; + apr_array_header_t *san_arr; /* sha1 fingerprint */ if (X509_digest(cert->ssl_cert, EVP_sha1(), md, &md_size)) { @@ -1595,32 +1730,8 @@ apr_hash_t *serf_ssl_cert_certificate( BIO_free(bio); /* Get subjectAltNames */ - names = X509_get_ext_d2i(cert->ssl_cert, NID_subject_alt_name, NULL, NULL); - if (names) { - int names_count = sk_GENERAL_NAME_num(names); - - apr_array_header_t *san_arr = apr_array_make(pool, names_count, - sizeof(char*)); + if (!get_subject_alt_names(&san_arr, cert->ssl_cert, EscapeNulAndCopy, pool)) apr_hash_set(tgt, "subjectAltName", APR_HASH_KEY_STRING, san_arr); - for (i = 0; i < names_count; i++) { - char *p = NULL; - GENERAL_NAME *nm = sk_GENERAL_NAME_value(names, i); - - switch (nm->type) { - case GEN_DNS: - p = apr_pstrmemdup(pool, (const char *)nm->d.ia5->data, - nm->d.ia5->length); - break; - default: - /* Don't know what to do - skip. */ - break; - } - if (p) { - APR_ARRAY_PUSH(san_arr, char*) = p; - } - } - sk_GENERAL_NAME_pop_free(names, GENERAL_NAME_free); - } return tgt; } diff --git a/contrib/serf/serf.h b/contrib/serf/serf.h index d3ac2f3548de..f6f34a7c7ddd 100644 --- a/contrib/serf/serf.h +++ b/contrib/serf/serf.h @@ -1062,7 +1062,7 @@ void serf_debug__bucket_alloc_check( /* Version info */ #define SERF_MAJOR_VERSION 1 #define SERF_MINOR_VERSION 3 -#define SERF_PATCH_VERSION 6 +#define SERF_PATCH_VERSION 7 /* Version number string */ #define SERF_VERSION_STRING APR_STRINGIFY(SERF_MAJOR_VERSION) "." \ diff --git a/contrib/subversion/CHANGES b/contrib/subversion/CHANGES index f10874794683..616caec3fb9d 100644 --- a/contrib/subversion/CHANGES +++ b/contrib/subversion/CHANGES @@ -1,3 +1,45 @@ +Version 1.8.10 +(11 Aug 2014, from /branches/1.8.x) +http://svn.apache.org/repos/asf/subversion/tags/1.8.10 + + User-visible changes: + - Client-side bugfixes: + * guard against md5 hash collisions when finding cached credentials + (r1550691, r1550772, r1600909) + * ra_serf: properly match wildcards in SSL certs. (r1615211, 1615219) + * ra_serf: ignore the CommonName in SSL certs where there are Subject Alt + Names (r1565531, r1566503, r1568349, r1568361) + * ra_serf: fix a URI escaping bug that prevented deleting locked paths + (r1594223, r1553501, r1553556, r1559197, issue #3674) + * rm: Display the proper URL when deleting a URL in the commit log editor + (r1591123) + * log: Fix another instance of broken pipe error (r1596866, issue #3014) + * copy: Properly handle props not present or excluded on cross wc copy + (r1589184, r1589188) + * copy: Fix copying parents of locally deleted nodes between wcs + (r1589460, r1589486) + * externals: Properly delete ancestor directories of externals when + removing the external by changing svn:externals. (r1600311, 1600315, + r1600323, r1600393) + * ra_serf: fix memory lifetime of some hash values (r1606009) + + - Server-side bugfixes: + * fsfs: omit config file when creating pre-1.5 format repos (r1547454, + r1561703) + + Developer-visible changes: + - General: + * fix improper linking when serf is in the same prefix as existing svn + libraries. (r1609004) + * use proper intermediate directory when building with VS 2003-2008 + (r1595431) + * support generating VS 2013 and later project files. + + - Bindings: + * ruby: removing warning about Ruby 1.9 support being new. (r1593992) + * python: fix notify_func callbacks (r1594794, r1594814, r1594834, r1595061) + + Version 1.8.9 (07 May 2014, from /branches/1.8.x) http://svn.apache.org/repos/asf/subversion/tags/1.8.9 @@ -687,6 +729,24 @@ http://svn.apache.org/repos/asf/subversion/tags/1.8.0 * fix some reference counting bugs in swig-py bindings (r1464899, r1466524) +Version 1.7.18 +(11 Aug 2014, from /branches/1.7.x) +http://svn.apache.org/repos/asf/subversion/tags/1.7.18 + + User-visible changes: + - Client-side bugfixes: + * guard against md5 hash collisions when finding cached credentials + (r1550691, r1550772, r1600909) + * ra_serf: properly match wildcards in SSL certs. (r1615211, 1615219) + * ra_serf: ignore the CommonName in SSL certs where there are Subject Alt + Names (r1565531, r1566503, r1568349) + + Developer-visible changes: + - General: + * fix ocassional failure in checkout_tests.py test 12. (r1496127) + * disable building ZLib's assembly optimizations on Windows. + + Version 1.7.17 (07 May 2014, from /branches/1.7.x) http://svn.apache.org/repos/asf/subversion/tags/1.7.17 diff --git a/contrib/subversion/build-outputs.mk b/contrib/subversion/build-outputs.mk index 6d73c30bc8d6..3126b3f7fdd6 100644 --- a/contrib/subversion/build-outputs.mk +++ b/contrib/subversion/build-outputs.mk @@ -2231,7 +2231,7 @@ subversion/libsvn_ra_serf/serf.lo: subversion/libsvn_ra_serf/serf.c subversion/i subversion/libsvn_ra_serf/update.lo: subversion/libsvn_ra_serf/update.c subversion/include/private/svn_dav_protocol.h subversion/include/private/svn_debug.h subversion/include/private/svn_dep_compat.h subversion/include/private/svn_editor.h subversion/include/private/svn_fspath.h subversion/include/private/svn_ra_private.h subversion/include/private/svn_string_private.h subversion/include/private/svn_subr_private.h subversion/include/svn_auth.h subversion/include/svn_base64.h subversion/include/svn_checksum.h subversion/include/svn_config.h subversion/include/svn_dav.h subversion/include/svn_delta.h subversion/include/svn_dirent_uri.h subversion/include/svn_error.h subversion/include/svn_error_codes.h subversion/include/svn_hash.h subversion/include/svn_io.h subversion/include/svn_mergeinfo.h subversion/include/svn_path.h subversion/include/svn_pools.h subversion/include/svn_props.h subversion/include/svn_ra.h subversion/include/svn_string.h subversion/include/svn_types.h subversion/include/svn_version.h subversion/include/svn_xml.h subversion/libsvn_ra/ra_loader.h subversion/libsvn_ra_serf/blncache.h subversion/libsvn_ra_serf/ra_serf.h subversion/svn_private_config.h -subversion/libsvn_ra_serf/util.lo: subversion/libsvn_ra_serf/util.c subversion/include/private/svn_auth_private.h subversion/include/private/svn_dav_protocol.h subversion/include/private/svn_debug.h subversion/include/private/svn_dep_compat.h subversion/include/private/svn_editor.h subversion/include/private/svn_fspath.h subversion/include/private/svn_ra_private.h subversion/include/private/svn_subr_private.h subversion/include/svn_auth.h subversion/include/svn_checksum.h subversion/include/svn_config.h subversion/include/svn_dav.h subversion/include/svn_delta.h subversion/include/svn_dirent_uri.h subversion/include/svn_error.h subversion/include/svn_error_codes.h subversion/include/svn_hash.h subversion/include/svn_io.h subversion/include/svn_mergeinfo.h subversion/include/svn_path.h subversion/include/svn_pools.h subversion/include/svn_props.h subversion/include/svn_ra.h subversion/include/svn_string.h subversion/include/svn_types.h subversion/include/svn_version.h subversion/include/svn_xml.h subversion/libsvn_ra/ra_loader.h subversion/libsvn_ra_serf/blncache.h subversion/libsvn_ra_serf/ra_serf.h subversion/svn_private_config.h +subversion/libsvn_ra_serf/util.lo: subversion/libsvn_ra_serf/util.c subversion/include/private/svn_auth_private.h subversion/include/private/svn_cert.h subversion/include/private/svn_dav_protocol.h subversion/include/private/svn_debug.h subversion/include/private/svn_dep_compat.h subversion/include/private/svn_editor.h subversion/include/private/svn_fspath.h subversion/include/private/svn_ra_private.h subversion/include/private/svn_subr_private.h subversion/include/svn_auth.h subversion/include/svn_checksum.h subversion/include/svn_config.h subversion/include/svn_dav.h subversion/include/svn_delta.h subversion/include/svn_dirent_uri.h subversion/include/svn_error.h subversion/include/svn_error_codes.h subversion/include/svn_hash.h subversion/include/svn_io.h subversion/include/svn_mergeinfo.h subversion/include/svn_path.h subversion/include/svn_pools.h subversion/include/svn_props.h subversion/include/svn_ra.h subversion/include/svn_string.h subversion/include/svn_types.h subversion/include/svn_version.h subversion/include/svn_xml.h subversion/libsvn_ra/ra_loader.h subversion/libsvn_ra_serf/blncache.h subversion/libsvn_ra_serf/ra_serf.h subversion/svn_private_config.h subversion/libsvn_ra_serf/util_error.lo: subversion/libsvn_ra_serf/util_error.c subversion/include/private/svn_dav_protocol.h subversion/include/private/svn_debug.h subversion/include/private/svn_editor.h subversion/include/private/svn_error_private.h subversion/include/private/svn_subr_private.h subversion/include/svn_auth.h subversion/include/svn_checksum.h subversion/include/svn_config.h subversion/include/svn_dav.h subversion/include/svn_delta.h subversion/include/svn_dirent_uri.h subversion/include/svn_error.h subversion/include/svn_error_codes.h subversion/include/svn_io.h subversion/include/svn_mergeinfo.h subversion/include/svn_pools.h subversion/include/svn_ra.h subversion/include/svn_string.h subversion/include/svn_types.h subversion/include/svn_utf.h subversion/include/svn_version.h subversion/libsvn_ra_serf/blncache.h subversion/libsvn_ra_serf/ra_serf.h @@ -2329,7 +2329,7 @@ subversion/libsvn_subr/debug.lo: subversion/libsvn_subr/debug.c subversion/inclu subversion/libsvn_subr/deprecated.lo: subversion/libsvn_subr/deprecated.c subversion/include/private/svn_debug.h subversion/include/private/svn_mergeinfo_private.h subversion/include/private/svn_opt_private.h subversion/include/private/svn_subr_private.h subversion/include/svn_auth.h subversion/include/svn_checksum.h subversion/include/svn_cmdline.h subversion/include/svn_config.h subversion/include/svn_dirent_uri.h subversion/include/svn_dso.h subversion/include/svn_error.h subversion/include/svn_error_codes.h subversion/include/svn_hash.h subversion/include/svn_io.h subversion/include/svn_mergeinfo.h subversion/include/svn_opt.h subversion/include/svn_path.h subversion/include/svn_pools.h subversion/include/svn_string.h subversion/include/svn_subst.h subversion/include/svn_types.h subversion/include/svn_utf.h subversion/include/svn_version.h subversion/include/svn_xml.h subversion/libsvn_subr/opt.h subversion/svn_private_config.h -subversion/libsvn_subr/dirent_uri.lo: subversion/libsvn_subr/dirent_uri.c subversion/include/private/svn_debug.h subversion/include/private/svn_fspath.h subversion/include/svn_ctype.h subversion/include/svn_dirent_uri.h subversion/include/svn_error.h subversion/include/svn_error_codes.h subversion/include/svn_path.h subversion/include/svn_string.h subversion/include/svn_types.h subversion/libsvn_subr/dirent_uri.h subversion/svn_private_config.h +subversion/libsvn_subr/dirent_uri.lo: subversion/libsvn_subr/dirent_uri.c subversion/include/private/svn_cert.h subversion/include/private/svn_debug.h subversion/include/private/svn_fspath.h subversion/include/svn_ctype.h subversion/include/svn_dirent_uri.h subversion/include/svn_error.h subversion/include/svn_error_codes.h subversion/include/svn_path.h subversion/include/svn_string.h subversion/include/svn_types.h subversion/libsvn_subr/dirent_uri.h subversion/svn_private_config.h subversion/libsvn_subr/dso.lo: subversion/libsvn_subr/dso.c subversion/include/private/svn_debug.h subversion/include/private/svn_mutex.h subversion/include/svn_checksum.h subversion/include/svn_dso.h subversion/include/svn_error.h subversion/include/svn_error_codes.h subversion/include/svn_hash.h subversion/include/svn_io.h subversion/include/svn_pools.h subversion/include/svn_string.h subversion/include/svn_types.h subversion/svn_private_config.h @@ -2781,7 +2781,7 @@ subversion/tests/libsvn_subr/config-test.lo: subversion/tests/libsvn_subr/config subversion/tests/libsvn_subr/crypto-test.lo: subversion/tests/libsvn_subr/crypto-test.c subversion/include/private/svn_debug.h subversion/include/svn_checksum.h subversion/include/svn_delta.h subversion/include/svn_dirent_uri.h subversion/include/svn_error.h subversion/include/svn_error_codes.h subversion/include/svn_io.h subversion/include/svn_path.h subversion/include/svn_pools.h subversion/include/svn_string.h subversion/include/svn_types.h subversion/libsvn_subr/crypto.h subversion/tests/svn_test.h -subversion/tests/libsvn_subr/dirent_uri-test.lo: subversion/tests/libsvn_subr/dirent_uri-test.c subversion/include/private/svn_debug.h subversion/include/private/svn_fspath.h subversion/include/svn_checksum.h subversion/include/svn_delta.h subversion/include/svn_dirent_uri.h subversion/include/svn_error.h subversion/include/svn_error_codes.h subversion/include/svn_io.h subversion/include/svn_path.h subversion/include/svn_pools.h subversion/include/svn_string.h subversion/include/svn_types.h subversion/tests/svn_test.h +subversion/tests/libsvn_subr/dirent_uri-test.lo: subversion/tests/libsvn_subr/dirent_uri-test.c subversion/include/private/svn_cert.h subversion/include/private/svn_debug.h subversion/include/private/svn_fspath.h subversion/include/svn_checksum.h subversion/include/svn_delta.h subversion/include/svn_dirent_uri.h subversion/include/svn_error.h subversion/include/svn_error_codes.h subversion/include/svn_io.h subversion/include/svn_path.h subversion/include/svn_pools.h subversion/include/svn_string.h subversion/include/svn_types.h subversion/tests/svn_test.h subversion/tests/libsvn_subr/error-code-test.lo: subversion/tests/libsvn_subr/error-code-test.c subversion/include/private/svn_debug.h subversion/include/svn_checksum.h subversion/include/svn_delta.h subversion/include/svn_dirent_uri.h subversion/include/svn_error.h subversion/include/svn_error_codes.h subversion/include/svn_io.h subversion/include/svn_path.h subversion/include/svn_string.h subversion/include/svn_types.h subversion/tests/svn_test.h diff --git a/contrib/subversion/build.conf b/contrib/subversion/build.conf index 74defd02b66d..356163a2d2d8 100644 --- a/contrib/subversion/build.conf +++ b/contrib/subversion/build.conf @@ -342,6 +342,7 @@ msvc-export = private\svn_temp_serializer.h private\svn_io_private.h private\svn_string_private.h private\svn_magic.h private\svn_subr_private.h private\svn_mutex.h private\svn_named_atomic.h + private\svn_cert.h # Working copy management lib [libsvn_wc] diff --git a/contrib/subversion/configure b/contrib/subversion/configure index 3010dc7a878b..445251bdf75b 100755 --- a/contrib/subversion/configure +++ b/contrib/subversion/configure @@ -1,6 +1,6 @@ #! /bin/sh # Guess values for system-dependent variables and create Makefiles. -# Generated by GNU Autoconf 2.69 for subversion 1.8.9. +# Generated by GNU Autoconf 2.69 for subversion 1.8.10. # # Report bugs to . # @@ -590,8 +590,8 @@ MAKEFLAGS= # Identity of this package. PACKAGE_NAME='subversion' PACKAGE_TARNAME='subversion' -PACKAGE_VERSION='1.8.9' -PACKAGE_STRING='subversion 1.8.9' +PACKAGE_VERSION='1.8.10' +PACKAGE_STRING='subversion 1.8.10' PACKAGE_BUGREPORT='http://subversion.apache.org/' PACKAGE_URL='' @@ -1457,7 +1457,7 @@ if test "$ac_init_help" = "long"; then # Omit some internal or obsolete options to make the list less imposing. # This message is too long to be a string in the A/UX 3.1 sh. cat <<_ACEOF -\`configure' configures subversion 1.8.9 to adapt to many kinds of systems. +\`configure' configures subversion 1.8.10 to adapt to many kinds of systems. Usage: $0 [OPTION]... [VAR=VALUE]... @@ -1523,7 +1523,7 @@ fi if test -n "$ac_init_help"; then case $ac_init_help in - short | recursive ) echo "Configuration of subversion 1.8.9:";; + short | recursive ) echo "Configuration of subversion 1.8.10:";; esac cat <<\_ACEOF @@ -1737,7 +1737,7 @@ fi test -n "$ac_init_help" && exit $ac_status if $ac_init_version; then cat <<\_ACEOF -subversion configure 1.8.9 +subversion configure 1.8.10 generated by GNU Autoconf 2.69 Copyright (C) 2012 Free Software Foundation, Inc. @@ -2281,7 +2281,7 @@ cat >config.log <<_ACEOF This file contains any messages produced by compilers while running configure, to aid debugging if configure makes a mistake. -It was created by subversion $as_me 1.8.9, which was +It was created by subversion $as_me 1.8.10, which was generated by GNU Autoconf 2.69. Invocation command line was $ $0 $@ @@ -2661,8 +2661,8 @@ ac_configure="$SHELL $ac_aux_dir/configure" # Please don't use this var. -{ $as_echo "$as_me:${as_lineno-$LINENO}: Configuring Subversion 1.8.9" >&5 -$as_echo "$as_me: Configuring Subversion 1.8.9" >&6;} +{ $as_echo "$as_me:${as_lineno-$LINENO}: Configuring Subversion 1.8.10" >&5 +$as_echo "$as_me: Configuring Subversion 1.8.10" >&6;} abs_srcdir="`cd $srcdir && pwd`" @@ -5285,7 +5285,26 @@ if test "x$ac_cv_header_serf_h" = xyes; then : _ACEOF save_ldflags="$LDFLAGS" - LDFLAGS="$LDFLAGS -L$serf_prefix/lib" + LDFLAGS="$LDFLAGS ` + input_flags="-L$serf_prefix/lib" + output_flags="" + filtered_dirs="/lib /lib64 /usr/lib /usr/lib64" + for flag in $input_flags; do + filter="no" + for dir in $filtered_dirs; do + if test "$flag" = "-L$dir" || test "$flag" = "-L$dir/"; then + filter="yes" + break + fi + done + if test "$filter" = "no"; then + output_flags="$output_flags $flag" + fi + done + if test -n "$output_flags"; then + printf "%s" "${output_flags# }" + fi +`" as_ac_Lib=`$as_echo "ac_cv_lib_$serf_major''_serf_context_create" | $as_tr_sh` { $as_echo "$as_me:${as_lineno-$LINENO}: checking for serf_context_create in -l$serf_major" >&5 $as_echo_n "checking for serf_context_create in -l$serf_major... " >&6; } @@ -5369,7 +5388,26 @@ done SVN_SERF_LIBS="$serf_prefix/lib/lib$serf_major.la" else SVN_SERF_LIBS="-l$serf_major" - LDFLAGS="$LDFLAGS -L$serf_prefix/lib" + LDFLAGS="$LDFLAGS ` + input_flags="-L$serf_prefix/lib" + output_flags="" + filtered_dirs="/lib /lib64 /usr/lib /usr/lib64" + for flag in $input_flags; do + filter="no" + for dir in $filtered_dirs; do + if test "$flag" = "-L$dir" || test "$flag" = "-L$dir/"; then + filter="yes" + break + fi + done + if test "$filter" = "no"; then + output_flags="$output_flags $flag" + fi + done + if test -n "$output_flags"; then + printf "%s" "${output_flags# }" + fi +`" fi fi @@ -18002,7 +18040,26 @@ if test "${with_berkeley_db+set}" = set; then : done SVN_DB_INCLUDES="${SVN_DB_INCLUDES## }" for l in `echo "$withval" | $SED -e "s/.*:[^:]*:\([^:]*\):.*/\1/"`; do - LDFLAGS="$LDFLAGS -L$l" + LDFLAGS="$LDFLAGS ` + input_flags="-L$l" + output_flags="" + filtered_dirs="/lib /lib64 /usr/lib /usr/lib64" + for flag in $input_flags; do + filter="no" + for dir in $filtered_dirs; do + if test "$flag" = "-L$dir" || test "$flag" = "-L$dir/"; then + filter="yes" + break + fi + done + if test "$filter" = "no"; then + output_flags="$output_flags $flag" + fi + done + if test -n "$output_flags"; then + printf "%s" "${output_flags# }" + fi +`" done SVN_DB_LIBS="" for l in `echo "$withval" | $SED -e "s/.*:\([^:]*\)/\1/"`; do @@ -22728,12 +22785,6 @@ $as_echo "$svn_cv_ruby_teeny" >&6; } $as_echo "$as_me: WARNING: The detected Ruby is between 1.9 and 1.9.3" >&2;} { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: Only 1.8.x and 1.9.3 releases are supported at this time" >&5 $as_echo "$as_me: WARNING: Only 1.8.x and 1.9.3 releases are supported at this time" >&2;} - elif test \( "$RUBY_MAJOR" -eq "1" -a "$RUBY_MINOR" -eq "9" -a "$RUBY_TEENY" -eq "3" \); then - #Warn about 1.9.3 support - { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: WARNING: The detected Ruby is 1.9.3" >&5 -$as_echo "$as_me: WARNING: WARNING: The detected Ruby is 1.9.3" >&2;} - { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: WARNING: Only 1.8.x releases are fully supported, 1.9.3 support is new" >&5 -$as_echo "$as_me: WARNING: WARNING: Only 1.8.x releases are fully supported, 1.9.3 support is new" >&2;} fi else { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 @@ -25746,7 +25797,7 @@ cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1 # report actual input values of CONFIG_FILES etc. instead of their # values after options handling. ac_log=" -This file was extended by subversion $as_me 1.8.9, which was +This file was extended by subversion $as_me 1.8.10, which was generated by GNU Autoconf 2.69. Invocation command line was CONFIG_FILES = $CONFIG_FILES @@ -25812,7 +25863,7 @@ _ACEOF cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`" ac_cs_version="\\ -subversion config.status 1.8.9 +subversion config.status 1.8.10 configured by $0, generated by GNU Autoconf 2.69, with options \\"\$ac_cs_config\\" diff --git a/contrib/subversion/configure.ac b/contrib/subversion/configure.ac index f7d2264a9b89..955ba254f87c 100644 --- a/contrib/subversion/configure.ac +++ b/contrib/subversion/configure.ac @@ -1280,10 +1280,6 @@ if test "$RUBY" != "none"; then RUBY="none" AC_MSG_WARN([The detected Ruby is between 1.9 and 1.9.3]) AC_MSG_WARN([Only 1.8.x and 1.9.3 releases are supported at this time]) - elif test \( "$RUBY_MAJOR" -eq "1" -a "$RUBY_MINOR" -eq "9" -a "$RUBY_TEENY" -eq "3" \); then - #Warn about 1.9.3 support - AC_MSG_WARN([WARNING: The detected Ruby is 1.9.3]) - AC_MSG_WARN([WARNING: Only 1.8.x releases are fully supported, 1.9.3 support is new]) fi else AC_MSG_RESULT([no]) diff --git a/contrib/subversion/get-deps.sh b/contrib/subversion/get-deps.sh index 0c0be8cc175d..912547c836ec 100755 --- a/contrib/subversion/get-deps.sh +++ b/contrib/subversion/get-deps.sh @@ -33,11 +33,11 @@ APR_VERSION=${APR_VERSION:-"1.4.6"} APU_VERSION=${APU_VERSION:-"1.5.1"} -SERF_VERSION=${SERF_VERSION:-"1.2.1"} +SERF_VERSION=${SERF_VERSION:-"1.3.4"} ZLIB_VERSION=${ZLIB_VERSION:-"1.2.8"} SQLITE_VERSION=${SQLITE_VERSION:-"3.7.15.1"} GTEST_VERSION=${GTEST_VERSION:-"1.6.0"} -HTTPD_VERSION=${HTTPD_VERSION:-"2.4.6"} +HTTPD_VERSION=${HTTPD_VERSION:-"2.4.10"} APR_ICONV_VERSION=${APR_ICONV_VERSION:-"1.2.1"} APR=apr-${APR_VERSION} @@ -57,7 +57,7 @@ TEMPDIR=$BASEDIR/temp HTTP_FETCH= [ -z "$HTTP_FETCH" ] && type wget >/dev/null 2>&1 && HTTP_FETCH="wget -q -nc" -[ -z "$HTTP_FETCH" ] && type curl >/dev/null 2>&1 && HTTP_FETCH="curl -sO" +[ -z "$HTTP_FETCH" ] && type curl >/dev/null 2>&1 && HTTP_FETCH="curl -sOL" [ -z "$HTTP_FETCH" ] && type fetch >/dev/null 2>&1 && HTTP_FETCH="fetch -q" # Need this uncommented if any of the specific versions of the ASF tarballs to @@ -89,7 +89,7 @@ get_serf() { test -d $BASEDIR/serf && return cd $TEMPDIR - $HTTP_FETCH http://serf.googlecode.com/files/$SERF.tar.bz2 + $HTTP_FETCH http://serf.googlecode.com/svn/src_releases/$SERF.tar.bz2 cd $BASEDIR bzip2 -dc $TEMPDIR/$SERF.tar.bz2 | tar -xf - @@ -101,7 +101,7 @@ get_zlib() { test -d $BASEDIR/zlib && return cd $TEMPDIR - $HTTP_FETCH http://www.zlib.net/$ZLIB.tar.gz + $HTTP_FETCH http://sourceforge.net/projects/libpng/files/zlib/$ZLIB_VERSION/$ZLIB.tar.gz cd $BASEDIR gzip -dc $TEMPDIR/$ZLIB.tar.gz | tar -xf - diff --git a/contrib/subversion/subversion/include/private/svn_cert.h b/contrib/subversion/subversion/include/private/svn_cert.h new file mode 100644 index 000000000000..32e32a01f7d9 --- /dev/null +++ b/contrib/subversion/subversion/include/private/svn_cert.h @@ -0,0 +1,68 @@ +/** + * @copyright + * ==================================================================== + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + * ==================================================================== + * @endcopyright + * + * @file svn_cert.h + * @brief Implementation of certificate validation functions + */ + +#ifndef SVN_CERT_H +#define SVN_CERT_H + +#include + +#include "svn_types.h" +#include "svn_string.h" + +#ifdef __cplusplus +extern "C" { +#endif /* __cplusplus */ + + +/* Return TRUE iff @a pattern matches @a hostname as defined + * by the matching rules of RFC 6125. In the context of RFC + * 6125 the pattern is the domain name portion of the presented + * identifier (which comes from the Common Name or a DNSName + * portion of the subjectAltName of an X.509 certificate) and + * the hostname is the source domain (i.e. the host portion + * of the URI the user entered). + * + * @note With respect to wildcards we only support matching + * wildcards in the left-most label and as the only character + * in the left-most label (i.e. we support RFC 6125 ยง 6.4.3 + * Rule 1 and 2 but not the optional Rule 3). This may change + * in the future. + * + * @note Subversion does not at current support internationalized + * domain names. Both values are presumed to be in NR-LDH label + * or A-label form (see RFC 5890 for the definition). + * + * @since New in 1.9. + */ +svn_boolean_t +svn_cert__match_dns_identity(svn_string_t *pattern, svn_string_t *hostname); + + +#ifdef __cplusplus +} +#endif /* __cplusplus */ + +#endif /* SVN_CERT_H */ diff --git a/contrib/subversion/subversion/include/svn_version.h b/contrib/subversion/subversion/include/svn_version.h index ee97c88a2f05..8788fa56ea0a 100644 --- a/contrib/subversion/subversion/include/svn_version.h +++ b/contrib/subversion/subversion/include/svn_version.h @@ -72,7 +72,7 @@ extern "C" { * * @since New in 1.1. */ -#define SVN_VER_PATCH 9 +#define SVN_VER_PATCH 10 /** @deprecated Provided for backward compatibility with the 1.0 API. */ @@ -95,7 +95,7 @@ extern "C" { * * Always change this at the same time as SVN_VER_NUMTAG. */ -#define SVN_VER_TAG " (r1591380)" +#define SVN_VER_TAG " (r1615264)" /** Number tag: a string describing the version. @@ -121,7 +121,7 @@ extern "C" { * When rolling a tarball, we automatically replace it with what we * guess to be the correct revision number. */ -#define SVN_VER_REVISION 1591380 +#define SVN_VER_REVISION 1615264 /* Version strings composed from the above definitions. */ diff --git a/contrib/subversion/subversion/libsvn_client/delete.c b/contrib/subversion/subversion/libsvn_client/delete.c index 2f4ee664f335..803b70c1fb23 100644 --- a/contrib/subversion/subversion/libsvn_client/delete.c +++ b/contrib/subversion/subversion/libsvn_client/delete.c @@ -193,7 +193,7 @@ path_driver_cb_func(void **dir_baton, static svn_error_t * single_repos_delete(svn_ra_session_t *ra_session, - const char *repos_root, + const char *base_uri, const apr_array_header_t *relpaths, const apr_hash_t *revprop_table, svn_commit_callback2_t commit_callback, @@ -221,7 +221,7 @@ single_repos_delete(svn_ra_session_t *ra_session, const char *relpath = APR_ARRAY_IDX(relpaths, i, const char *); item = svn_client_commit_item3_create(pool); - item->url = svn_path_url_add_component2(repos_root, relpath, pool); + item->url = svn_path_url_add_component2(base_uri, relpath, pool); item->state_flags = SVN_CLIENT_COMMIT_ITEM_DELETE; APR_ARRAY_PUSH(commit_items, svn_client_commit_item3_t *) = item; } @@ -361,7 +361,6 @@ delete_urls_multi_repos(const apr_array_header_t *uris, iterpool = svn_pool_create(pool); for (hi = apr_hash_first(pool, deletables); hi; hi = apr_hash_next(hi)) { - const char *repos_root = svn__apr_hash_index_key(hi); struct repos_deletables_t *repos_deletables = svn__apr_hash_index_val(hi); const char *base_uri; apr_array_header_t *target_relpaths; @@ -398,7 +397,7 @@ delete_urls_multi_repos(const apr_array_header_t *uris, } SVN_ERR(svn_ra_reparent(repos_deletables->ra_session, base_uri, pool)); - SVN_ERR(single_repos_delete(repos_deletables->ra_session, repos_root, + SVN_ERR(single_repos_delete(repos_deletables->ra_session, base_uri, target_relpaths, revprop_table, commit_callback, commit_baton, ctx, iterpool)); diff --git a/contrib/subversion/subversion/libsvn_client/externals.c b/contrib/subversion/subversion/libsvn_client/externals.c index e572dc7b3f00..8c08f405279e 100644 --- a/contrib/subversion/subversion/libsvn_client/externals.c +++ b/contrib/subversion/subversion/libsvn_client/externals.c @@ -1017,19 +1017,30 @@ svn_client__handle_externals(apr_hash_t *externals_new, parent_abspath = svn_dirent_dirname(parent_abspath, iterpool); SVN_ERR(svn_wc_read_kind2(&kind, ctx->wc_ctx, parent_abspath, - TRUE, FALSE, iterpool)); + FALSE /* show_deleted*/, + FALSE /* show_hidden */, + iterpool)); if (kind == svn_node_none) { svn_error_t *err; err = svn_io_dir_remove_nonrecursive(parent_abspath, iterpool); - if (err && APR_STATUS_IS_ENOTEMPTY(err->apr_err)) + if (err) { - svn_error_clear(err); - break; + if (APR_STATUS_IS_ENOTEMPTY(err->apr_err)) + { + svn_error_clear(err); + break; /* No parents to delete */ + } + else if (APR_STATUS_IS_ENOENT(err->apr_err) + || APR_STATUS_IS_ENOTDIR(err->apr_err)) + { + svn_error_clear(err); + /* Fall through; parent dir might be unversioned */ + } + else + return svn_error_trace(err); } - else - SVN_ERR(err); } } while (strcmp(parent_abspath, defining_abspath) != 0); } diff --git a/contrib/subversion/subversion/libsvn_fs_fs/fs_fs.c b/contrib/subversion/subversion/libsvn_fs_fs/fs_fs.c index 372455d2d735..89816a8bcb6f 100644 --- a/contrib/subversion/subversion/libsvn_fs_fs/fs_fs.c +++ b/contrib/subversion/subversion/libsvn_fs_fs/fs_fs.c @@ -8877,7 +8877,12 @@ svn_fs_fs__create(svn_fs_t *fs, SVN_ERR(write_revision_zero(fs)); - SVN_ERR(write_config(fs, pool)); + /* Create the fsfs.conf file if supported. Older server versions would + simply ignore the file but that might result in a different behavior + than with the later releases. Also, hotcopy would ignore, i.e. not + copy, a fsfs.conf with old formats. */ + if (ffd->format >= SVN_FS_FS__MIN_CONFIG_FILE) + SVN_ERR(write_config(fs, pool)); SVN_ERR(read_config(ffd, fs->path, pool)); diff --git a/contrib/subversion/subversion/libsvn_fs_fs/rep-cache-db.h b/contrib/subversion/subversion/libsvn_fs_fs/rep-cache-db.h index 5e1510784800..0c9b821fec4b 100644 --- a/contrib/subversion/subversion/libsvn_fs_fs/rep-cache-db.h +++ b/contrib/subversion/subversion/libsvn_fs_fs/rep-cache-db.h @@ -1,4 +1,4 @@ -/* This file is automatically generated from rep-cache-db.sql and .dist_sandbox/subversion-1.8.9/subversion/libsvn_fs_fs/token-map.h. +/* This file is automatically generated from rep-cache-db.sql and .dist_sandbox/subversion-1.8.10/subversion/libsvn_fs_fs/token-map.h. * Do not edit this file -- edit the source and rerun gen-make.py */ #define STMT_CREATE_SCHEMA 0 diff --git a/contrib/subversion/subversion/libsvn_ra_serf/commit.c b/contrib/subversion/subversion/libsvn_ra_serf/commit.c index 4950ac48911a..1f9f1cc99f06 100644 --- a/contrib/subversion/subversion/libsvn_ra_serf/commit.c +++ b/contrib/subversion/subversion/libsvn_ra_serf/commit.c @@ -99,14 +99,11 @@ typedef struct proppatch_context_t { } proppatch_context_t; typedef struct delete_context_t { - const char *path; + const char *relpath; svn_revnum_t revision; - const char *lock_token; - apr_hash_t *lock_token_hash; - svn_boolean_t keep_locks; - + commit_context_t *commit; } delete_context_t; /* Represents a directory. */ @@ -149,7 +146,6 @@ typedef struct dir_context_t { /* The checked-out working resource for this directory. May be NULL; if so call checkout_dir() first. */ const char *working_url; - } dir_context_t; /* Represents a file to be committed. */ @@ -1077,6 +1073,96 @@ setup_copy_file_headers(serf_bucket_t *headers, return SVN_NO_ERROR; } +static svn_error_t * +setup_if_header_recursive(svn_boolean_t *added, + serf_bucket_t *headers, + commit_context_t *commit_ctx, + const char *rq_relpath, + apr_pool_t *pool) +{ + svn_stringbuf_t *sb = NULL; + apr_hash_index_t *hi; + apr_pool_t *iterpool = NULL; + + if (!commit_ctx->lock_tokens) + { + *added = FALSE; + return SVN_NO_ERROR; + } + + /* We try to create a directory, so within the Subversion world that + would imply that there is nothing here, but mod_dav_svn still sees + locks on the old nodes here as in DAV it is perfectly legal to lock + something that is not there... + + Let's make mod_dav, mod_dav_svn and the DAV RFC happy by providing + the locks we know of with the request */ + + for (hi = apr_hash_first(pool, commit_ctx->lock_tokens); + hi; + hi = apr_hash_next(hi)) + { + const char *relpath = svn__apr_hash_index_key(hi); + apr_uri_t uri; + + if (!svn_relpath_skip_ancestor(rq_relpath, relpath)) + continue; + else if (svn_hash_gets(commit_ctx->deleted_entries, relpath)) + { + /* When a path is already explicit deleted then its lock + will be removed by mod_dav. But mod_dav doesn't remove + locks on descendants */ + continue; + } + + if (!iterpool) + iterpool = svn_pool_create(pool); + else + svn_pool_clear(iterpool); + + if (sb == NULL) + sb = svn_stringbuf_create("", pool); + else + svn_stringbuf_appendbyte(sb, ' '); + + uri = commit_ctx->session->session_url; + uri.path = (char *)svn_path_url_add_component2(uri.path, relpath, + iterpool); + + svn_stringbuf_appendbyte(sb, '<'); + svn_stringbuf_appendcstr(sb, apr_uri_unparse(iterpool, &uri, 0)); + svn_stringbuf_appendcstr(sb, "> (<"); + svn_stringbuf_appendcstr(sb, svn__apr_hash_index_val(hi)); + svn_stringbuf_appendcstr(sb, ">)"); + } + + if (iterpool) + svn_pool_destroy(iterpool); + + if (sb) + { + serf_bucket_headers_set(headers, "If", sb->data); + *added = TRUE; + } + else + *added = FALSE; + + return SVN_NO_ERROR; +} + +static svn_error_t * +setup_add_dir_common_headers(serf_bucket_t *headers, + void *baton, + apr_pool_t *pool) +{ + dir_context_t *dir = baton; + svn_boolean_t added; + + return svn_error_trace( + setup_if_header_recursive(&added, headers, dir->commit, dir->relpath, + pool)); +} + static svn_error_t * setup_copy_dir_headers(serf_bucket_t *headers, void *baton, @@ -1109,7 +1195,7 @@ setup_copy_dir_headers(serf_bucket_t *headers, /* Implicitly checkout this dir now. */ dir->working_url = apr_pstrdup(dir->pool, uri.path); - return SVN_NO_ERROR; + return svn_error_trace(setup_add_dir_common_headers(headers, baton, pool)); } static svn_error_t * @@ -1117,51 +1203,19 @@ setup_delete_headers(serf_bucket_t *headers, void *baton, apr_pool_t *pool) { - delete_context_t *ctx = baton; + delete_context_t *del = baton; + svn_boolean_t added; serf_bucket_headers_set(headers, SVN_DAV_VERSION_NAME_HEADER, - apr_ltoa(pool, ctx->revision)); + apr_ltoa(pool, del->revision)); - if (ctx->lock_token_hash) - { - ctx->lock_token = svn_hash_gets(ctx->lock_token_hash, ctx->path); + SVN_ERR(setup_if_header_recursive(&added, headers, del->commit, + del->relpath, pool)); - if (ctx->lock_token) - { - const char *token_header; + if (added && del->commit->keep_locks) + serf_bucket_headers_setn(headers, SVN_DAV_OPTIONS_HEADER, + SVN_DAV_OPTION_KEEP_LOCKS); - token_header = apr_pstrcat(pool, "<", ctx->path, "> (<", - ctx->lock_token, ">)", (char *)NULL); - - serf_bucket_headers_set(headers, "If", token_header); - - if (ctx->keep_locks) - serf_bucket_headers_setn(headers, SVN_DAV_OPTIONS_HEADER, - SVN_DAV_OPTION_KEEP_LOCKS); - } - } - - return SVN_NO_ERROR; -} - -/* Implements svn_ra_serf__request_body_delegate_t */ -static svn_error_t * -create_delete_body(serf_bucket_t **body_bkt, - void *baton, - serf_bucket_alloc_t *alloc, - apr_pool_t *pool) -{ - delete_context_t *ctx = baton; - serf_bucket_t *body; - - body = serf_bucket_aggregate_create(alloc); - - svn_ra_serf__add_xml_header_buckets(body, alloc); - - svn_ra_serf__merge_lock_token_list(ctx->lock_token_hash, ctx->path, - body, alloc, pool); - - *body_bkt = body; return SVN_NO_ERROR; } @@ -1541,7 +1595,6 @@ delete_entry(const char *path, delete_context_t *delete_ctx; svn_ra_serf__handler_t *handler; const char *delete_target; - svn_error_t *err; if (USING_HTTPV2_COMMIT_SUPPORT(dir->commit)) { @@ -1560,10 +1613,9 @@ delete_entry(const char *path, /* DELETE our entry */ delete_ctx = apr_pcalloc(pool, sizeof(*delete_ctx)); - delete_ctx->path = apr_pstrdup(pool, path); + delete_ctx->relpath = apr_pstrdup(pool, path); delete_ctx->revision = revision; - delete_ctx->lock_token_hash = dir->commit->lock_tokens; - delete_ctx->keep_locks = dir->commit->keep_locks; + delete_ctx->commit = dir->commit; handler = apr_pcalloc(pool, sizeof(*handler)); handler->handler_pool = pool; @@ -1579,30 +1631,7 @@ delete_entry(const char *path, handler->method = "DELETE"; handler->path = delete_target; - err = svn_ra_serf__context_run_one(handler, pool); - - if (err && - (err->apr_err == SVN_ERR_FS_BAD_LOCK_TOKEN || - err->apr_err == SVN_ERR_FS_NO_LOCK_TOKEN || - err->apr_err == SVN_ERR_FS_LOCK_OWNER_MISMATCH || - err->apr_err == SVN_ERR_FS_PATH_ALREADY_LOCKED)) - { - svn_error_clear(err); - - /* An error has been registered on the connection. Reset the thing - so that we can use it again. */ - serf_connection_reset(handler->conn->conn); - - handler->body_delegate = create_delete_body; - handler->body_delegate_baton = delete_ctx; - handler->body_type = "text/xml"; - - SVN_ERR(svn_ra_serf__context_run_one(handler, pool)); - } - else if (err) - { - return err; - } + SVN_ERR(svn_ra_serf__context_run_one(handler, pool)); /* 204 No Content: item successfully deleted */ if (handler->sline.code != 204) @@ -1673,6 +1702,9 @@ add_directory(const char *path, { handler->method = "MKCOL"; handler->path = mkcol_target; + + handler->header_delegate = setup_add_dir_common_headers; + handler->header_delegate_baton = dir; } else { @@ -2341,7 +2373,8 @@ svn_ra_serf__get_commit_editor(svn_ra_session_t *ra_session, ctx->callback = callback; ctx->callback_baton = callback_baton; - ctx->lock_tokens = lock_tokens; + ctx->lock_tokens = (lock_tokens && apr_hash_count(lock_tokens)) + ? lock_tokens : NULL; ctx->keep_locks = keep_locks; ctx->deleted_entries = apr_hash_make(ctx->pool); diff --git a/contrib/subversion/subversion/libsvn_ra_serf/options.c b/contrib/subversion/subversion/libsvn_ra_serf/options.c index a3c2fb95c881..f61ee87142c6 100644 --- a/contrib/subversion/subversion/libsvn_ra_serf/options.c +++ b/contrib/subversion/subversion/libsvn_ra_serf/options.c @@ -302,7 +302,7 @@ capabilities_headers_iterator_callback(void *baton, /* May contain multiple values, separated by commas. */ int i; apr_array_header_t *vals = svn_cstring_split(val, ",", TRUE, - opt_ctx->pool); + session->pool); for (i = 0; i < vals->nelts; i++) { diff --git a/contrib/subversion/subversion/libsvn_ra_serf/util.c b/contrib/subversion/subversion/libsvn_ra_serf/util.c index 60fa3c44af17..8f6c1bb5d4fa 100644 --- a/contrib/subversion/subversion/libsvn_ra_serf/util.c +++ b/contrib/subversion/subversion/libsvn_ra_serf/util.c @@ -28,7 +28,6 @@ #define APR_WANT_STRFUNC #include #include -#include #include #include @@ -49,6 +48,7 @@ #include "private/svn_fspath.h" #include "private/svn_subr_private.h" #include "private/svn_auth_private.h" +#include "private/svn_cert.h" #include "ra_serf.h" @@ -274,7 +274,6 @@ ssl_server_cert(void *baton, int failures, apr_hash_t *subject = NULL; apr_hash_t *serf_cert = NULL; void *creds; - int found_matching_hostname = 0; svn_failures = (ssl_convert_serf_failures(failures) | conn->server_cert_failures); @@ -286,26 +285,37 @@ ssl_server_cert(void *baton, int failures, ### This should really be handled by serf, which should pass an error for this case, but that has backwards compatibility issues. */ apr_array_header_t *san; + svn_boolean_t found_san_entry = FALSE; + svn_boolean_t found_matching_hostname = FALSE; + svn_string_t *actual_hostname = + svn_string_create(conn->session->session_url.hostname, scratch_pool); serf_cert = serf_ssl_cert_certificate(cert, scratch_pool); san = svn_hash_gets(serf_cert, "subjectAltName"); /* Try to find matching server name via subjectAltName first... */ - if (san) { + if (san) + { int i; - for (i = 0; i < san->nelts; i++) { + found_san_entry = san->nelts > 0; + for (i = 0; i < san->nelts; i++) + { const char *s = APR_ARRAY_IDX(san, i, const char*); - if (apr_fnmatch(s, conn->session->session_url.hostname, - APR_FNM_PERIOD | APR_FNM_CASE_BLIND) == APR_SUCCESS) - { - found_matching_hostname = 1; - break; - } - } - } + svn_string_t *cert_hostname = svn_string_create(s, scratch_pool); - /* Match server certificate CN with the hostname of the server */ - if (!found_matching_hostname) + if (svn_cert__match_dns_identity(cert_hostname, actual_hostname)) + { + found_matching_hostname = TRUE; + break; + } + } + } + + /* Match server certificate CN with the hostname of the server iff + * we didn't find any subjectAltName fields and try to match them. + * Per RFC 2818 they are authoritative if present and CommonName + * should be ignored. */ + if (!found_matching_hostname && !found_san_entry) { const char *hostname = NULL; @@ -314,13 +324,20 @@ ssl_server_cert(void *baton, int failures, if (subject) hostname = svn_hash_gets(subject, "CN"); - if (!hostname - || apr_fnmatch(hostname, conn->session->session_url.hostname, - APR_FNM_PERIOD | APR_FNM_CASE_BLIND) != APR_SUCCESS) - { - svn_failures |= SVN_AUTH_SSL_CNMISMATCH; - } - } + if (hostname) + { + svn_string_t *cert_hostname = svn_string_create(hostname, + scratch_pool); + + if (svn_cert__match_dns_identity(cert_hostname, actual_hostname)) + { + found_matching_hostname = TRUE; + } + } + } + + if (!found_matching_hostname) + svn_failures |= SVN_AUTH_SSL_CNMISMATCH; } if (!svn_failures) diff --git a/contrib/subversion/subversion/libsvn_subr/config_auth.c b/contrib/subversion/subversion/libsvn_subr/config_auth.c index 091e4e84abcd..ed26a58cb362 100644 --- a/contrib/subversion/subversion/libsvn_subr/config_auth.c +++ b/contrib/subversion/subversion/libsvn_subr/config_auth.c @@ -94,6 +94,7 @@ svn_config_read_auth_data(apr_hash_t **hash, if (kind == svn_node_file) { svn_stream_t *stream; + svn_string_t *stored_realm; SVN_ERR_W(svn_stream_open_readonly(&stream, auth_path, pool, pool), _("Unable to open auth file for reading")); @@ -104,6 +105,11 @@ svn_config_read_auth_data(apr_hash_t **hash, apr_psprintf(pool, _("Error parsing '%s'"), svn_dirent_local_style(auth_path, pool))); + stored_realm = svn_hash_gets(*hash, SVN_CONFIG_REALMSTRING_KEY); + + if (!stored_realm || strcmp(stored_realm->data, realmstring) != 0) + *hash = NULL; /* Hash collision, or somebody tampering with storage */ + SVN_ERR(svn_stream_close(stream)); } diff --git a/contrib/subversion/subversion/libsvn_subr/dirent_uri.c b/contrib/subversion/subversion/libsvn_subr/dirent_uri.c index 4801f8c8e114..6886a3e7550e 100644 --- a/contrib/subversion/subversion/libsvn_subr/dirent_uri.c +++ b/contrib/subversion/subversion/libsvn_subr/dirent_uri.c @@ -38,6 +38,7 @@ #include "dirent_uri.h" #include "private/svn_fspath.h" +#include "private/svn_cert.h" /* The canonical empty path. Can this be changed? Well, change the empty test below and the path library will work, not so sure about the fs/wc @@ -2597,3 +2598,81 @@ svn_urlpath__canonicalize(const char *uri, } return uri; } + + +/* -------------- The cert API (see private/svn_cert.h) ------------- */ + +svn_boolean_t +svn_cert__match_dns_identity(svn_string_t *pattern, svn_string_t *hostname) +{ + apr_size_t pattern_pos = 0, hostname_pos = 0; + + /* support leading wildcards that composed of the only character in the + * left-most label. */ + if (pattern->len >= 2 && + pattern->data[pattern_pos] == '*' && + pattern->data[pattern_pos + 1] == '.') + { + while (hostname_pos < hostname->len && + hostname->data[hostname_pos] != '.') + { + hostname_pos++; + } + /* Assume that the wildcard must match something. Rule 2 says + * that *.example.com should not match example.com. If the wildcard + * ends up not matching anything then it matches .example.com which + * seems to be essentially the same as just example.com */ + if (hostname_pos == 0) + return FALSE; + + pattern_pos++; + } + + while (pattern_pos < pattern->len && hostname_pos < hostname->len) + { + char pattern_c = pattern->data[pattern_pos]; + char hostname_c = hostname->data[hostname_pos]; + + /* fold case as described in RFC 4343. + * Note: We actually convert to lowercase, since our URI + * canonicalization code converts to lowercase and generally + * most certs are issued with lowercase DNS names, meaning + * this avoids the fold operation in most cases. The RFC + * suggests the opposite transformation, but doesn't require + * any specific implementation in any case. It is critical + * that this folding be locale independent so you can't use + * tolower(). */ + pattern_c = canonicalize_to_lower(pattern_c); + hostname_c = canonicalize_to_lower(hostname_c); + + if (pattern_c != hostname_c) + { + /* doesn't match */ + return FALSE; + } + else + { + /* characters match so skip both */ + pattern_pos++; + hostname_pos++; + } + } + + /* ignore a trailing period on the hostname since this has no effect on the + * security of the matching. See the following for the long explanation as + * to why: + * https://bugzilla.mozilla.org/show_bug.cgi?id=134402#c28 + */ + if (pattern_pos == pattern->len && + hostname_pos == hostname->len - 1 && + hostname->data[hostname_pos] == '.') + hostname_pos++; + + if (pattern_pos != pattern->len || hostname_pos != hostname->len) + { + /* end didn't match */ + return FALSE; + } + + return TRUE; +} diff --git a/contrib/subversion/subversion/libsvn_subr/internal_statements.h b/contrib/subversion/subversion/libsvn_subr/internal_statements.h index 4fa938932ecc..58616f4c450f 100644 --- a/contrib/subversion/subversion/libsvn_subr/internal_statements.h +++ b/contrib/subversion/subversion/libsvn_subr/internal_statements.h @@ -1,4 +1,4 @@ -/* This file is automatically generated from internal_statements.sql and .dist_sandbox/subversion-1.8.9/subversion/libsvn_subr/token-map.h. +/* This file is automatically generated from internal_statements.sql and .dist_sandbox/subversion-1.8.10/subversion/libsvn_subr/token-map.h. * Do not edit this file -- edit the source and rerun gen-make.py */ #define STMT_INTERNAL_SAVEPOINT_SVN 0 diff --git a/contrib/subversion/subversion/libsvn_subr/opt.c b/contrib/subversion/subversion/libsvn_subr/opt.c index e499089c4170..d91a2ef379f9 100644 --- a/contrib/subversion/subversion/libsvn_subr/opt.c +++ b/contrib/subversion/subversion/libsvn_subr/opt.c @@ -417,7 +417,9 @@ svn_opt_subcommand_help3(const char *subcommand, _("\"%s\": unknown command.\n\n"), subcommand); if (err) { - svn_handle_error2(err, stderr, FALSE, "svn: "); + /* Issue #3014: Don't print anything on broken pipes. */ + if (err->apr_err != SVN_ERR_IO_PIPE_WRITE_ERROR) + svn_handle_error2(err, stderr, FALSE, "svn: "); svn_error_clear(err); } } diff --git a/contrib/subversion/subversion/libsvn_wc/wc-checks.h b/contrib/subversion/subversion/libsvn_wc/wc-checks.h index 9fd40bd9fad9..43a006645426 100644 --- a/contrib/subversion/subversion/libsvn_wc/wc-checks.h +++ b/contrib/subversion/subversion/libsvn_wc/wc-checks.h @@ -1,4 +1,4 @@ -/* This file is automatically generated from wc-checks.sql and .dist_sandbox/subversion-1.8.9/subversion/libsvn_wc/token-map.h. +/* This file is automatically generated from wc-checks.sql and .dist_sandbox/subversion-1.8.10/subversion/libsvn_wc/token-map.h. * Do not edit this file -- edit the source and rerun gen-make.py */ #define STMT_VERIFICATION_TRIGGERS 0 diff --git a/contrib/subversion/subversion/libsvn_wc/wc-metadata.h b/contrib/subversion/subversion/libsvn_wc/wc-metadata.h index e39db8ab6ba1..b24f24ff3fbc 100644 --- a/contrib/subversion/subversion/libsvn_wc/wc-metadata.h +++ b/contrib/subversion/subversion/libsvn_wc/wc-metadata.h @@ -1,4 +1,4 @@ -/* This file is automatically generated from wc-metadata.sql and .dist_sandbox/subversion-1.8.9/subversion/libsvn_wc/token-map.h. +/* This file is automatically generated from wc-metadata.sql and .dist_sandbox/subversion-1.8.10/subversion/libsvn_wc/token-map.h. * Do not edit this file -- edit the source and rerun gen-make.py */ #define STMT_CREATE_SCHEMA 0 diff --git a/contrib/subversion/subversion/libsvn_wc/wc-queries.h b/contrib/subversion/subversion/libsvn_wc/wc-queries.h index 3fc6b2fe0f5f..2508bcf256e2 100644 --- a/contrib/subversion/subversion/libsvn_wc/wc-queries.h +++ b/contrib/subversion/subversion/libsvn_wc/wc-queries.h @@ -1,4 +1,4 @@ -/* This file is automatically generated from wc-queries.sql and .dist_sandbox/subversion-1.8.9/subversion/libsvn_wc/token-map.h. +/* This file is automatically generated from wc-queries.sql and .dist_sandbox/subversion-1.8.10/subversion/libsvn_wc/token-map.h. * Do not edit this file -- edit the source and rerun gen-make.py */ #define STMT_SELECT_NODE_INFO 0 diff --git a/contrib/subversion/subversion/libsvn_wc/wc_db.c b/contrib/subversion/subversion/libsvn_wc/wc_db.c index 81056c9a4a6a..ed59d4cf6456 100644 --- a/contrib/subversion/subversion/libsvn_wc/wc_db.c +++ b/contrib/subversion/subversion/libsvn_wc/wc_db.c @@ -3815,8 +3815,15 @@ cross_db_copy(svn_wc__db_wcroot_t *src_wcroot, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, src_wcroot, src_relpath, scratch_pool, scratch_pool)); - SVN_ERR(db_read_pristine_props(&props, src_wcroot, src_relpath, FALSE, - scratch_pool, scratch_pool)); + if (dst_status != svn_wc__db_status_not_present + && dst_status != svn_wc__db_status_excluded + && dst_status != svn_wc__db_status_server_excluded) + { + SVN_ERR(db_read_pristine_props(&props, src_wcroot, src_relpath, FALSE, + scratch_pool, scratch_pool)); + } + else + props = NULL; blank_iwb(&iwb); iwb.presence = dst_status; @@ -5131,6 +5138,17 @@ db_op_copy_shadowed_layer(svn_wc__db_wcroot_t *src_wcroot, scratch_pool)); } + if (dst_presence == svn_wc__db_status_not_present) + { + /* Don't create descendants of a not present node! */ + + /* This code is currently still triggered by copying deleted nodes + between separate working copies. See ### comment above. */ + + svn_pool_destroy(iterpool); + return SVN_NO_ERROR; + } + SVN_ERR(gather_repo_children(&children, src_wcroot, src_relpath, src_op_depth, scratch_pool, iterpool)); diff --git a/usr.bin/svn/svn_private_config.h b/usr.bin/svn/svn_private_config.h index 9e0ac1542f06..3583d6e79555 100644 --- a/usr.bin/svn/svn_private_config.h +++ b/usr.bin/svn/svn_private_config.h @@ -105,7 +105,7 @@ #define PACKAGE_NAME "subversion" /* Define to the full name and version of this package. */ -#define PACKAGE_STRING "subversion 1.8.9" +#define PACKAGE_STRING "subversion 1.8.10" /* Define to the one symbol short name of this package. */ #define PACKAGE_TARNAME "subversion" @@ -114,7 +114,7 @@ #define PACKAGE_URL "" /* Define to the version of this package. */ -#define PACKAGE_VERSION "1.8.9" +#define PACKAGE_VERSION "1.8.10" /* Define to 1 if you have the ANSI C header files. */ #define STDC_HEADERS 1