From owner-freebsd-ports-bugs@FreeBSD.ORG Sat Apr 4 13:10:01 2009 Return-Path: Delivered-To: freebsd-ports-bugs@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id C187B106567B for ; Sat, 4 Apr 2009 13:10:01 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 9CBC88FC18 for ; Sat, 4 Apr 2009 13:10:01 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.14.3/8.14.3) with ESMTP id n34DA1IJ054123 for ; Sat, 4 Apr 2009 13:10:01 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.3/8.14.3/Submit) id n34DA1xq054122; Sat, 4 Apr 2009 13:10:01 GMT (envelope-from gnats) Resent-Date: Sat, 4 Apr 2009 13:10:01 GMT Resent-Message-Id: <200904041310.n34DA1xq054122@freefall.freebsd.org> Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer) Resent-To: freebsd-ports-bugs@FreeBSD.org Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org, olli hauer Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id A93691065675 for ; Sat, 4 Apr 2009 13:01:37 +0000 (UTC) (envelope-from nobody@FreeBSD.org) Received: from www.freebsd.org (www.freebsd.org [IPv6:2001:4f8:fff6::21]) by mx1.freebsd.org (Postfix) with ESMTP id 976F38FC1B for ; Sat, 4 Apr 2009 13:01:37 +0000 (UTC) (envelope-from nobody@FreeBSD.org) Received: from www.freebsd.org (localhost [127.0.0.1]) by www.freebsd.org (8.14.3/8.14.3) with ESMTP id n34D1bJs059429 for ; Sat, 4 Apr 2009 13:01:37 GMT (envelope-from nobody@www.freebsd.org) Received: (from nobody@localhost) by www.freebsd.org (8.14.3/8.14.3/Submit) id n34D1bhJ059428; Sat, 4 Apr 2009 13:01:37 GMT (envelope-from nobody) Message-Id: <200904041301.n34D1bhJ059428@www.freebsd.org> Date: Sat, 4 Apr 2009 13:01:37 GMT From: olli hauer To: freebsd-gnats-submit@FreeBSD.org X-Send-Pr-Version: www-3.1 Cc: Subject: ports/133366: [patch] devel/subversion mod_dontdothat as option X-BeenThere: freebsd-ports-bugs@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Ports bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 04 Apr 2009 13:10:02 -0000 >Number: 133366 >Category: ports >Synopsis: [patch] devel/subversion mod_dontdothat as option >Confidential: no >Severity: non-critical >Priority: low >Responsible: freebsd-ports-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: change-request >Submitter-Id: current-users >Arrival-Date: Sat Apr 04 13:10:01 UTC 2009 >Closed-Date: >Last-Modified: >Originator: olli hauer >Release: >Organization: >Environment: >Description: from mod_dontdothat README file mod_dontdothat is an Apache module that allows you to block specific types of Subversion requests. Specifically, it's designed to keep users from doing things that are particularly hard on the server, like checking out the root of the tree, or the tags or branches directories. It works by sticking an input filter in front of all REPORT requests and looking for dangerous types of requests. If it finds any, it returns a 403 Forbidden error. It is enabled via single httpd.conf directive, DontDoThatConfigFile: DAV svn SVNParentPath /path/to/repositories DontDoThatConfigFile /path/to/config.file DontDoThatDisallowReplay off The file you give to DontDoThatConfigFile is a Subversion configuration file that contains the following sections. [recursive-actions] /*/trunk = allow / = deny /* = deny /*/tags = deny /*/branches = deny /*/* = deny /*/*/tags = deny /*/*/branches = deny As you might guess, this defines a set of patterns that control what the user is not allowed to do. Anything with a 'deny' after it is denied, and as a fallback mechanism anything with an 'allow' after it is special cased to be allowed, even if it matches something that is denied. Note that the wildcard portions of a rule only swallow a single directory, so /* will match /foo, but not /foo/bar. They also must be at the end of a directory segment, so /foo* or /* are valid, but /*foo is not. These rules are applied to any recursive action, which basically means any Subversion command that goes through the update-report, like update, diff, checkout, merge, etc. >How-To-Repeat: create a repo with ~100M in trunk create 20 tags svn co repo/tags your traffic will explode in a way you don't like if reach your included traffic amount >Fix: Patch attached with submission follows: --- Makefile +++ Makefile @@ -19,6 +19,7 @@ OPTIONS= MOD_DAV_SVN "mod_dav_svn module for Apache 2.X" off \ APACHE2_APR "Use APR from Apache 2.X" off \ + MOD_DONTDOTHAT "build and install mod_dontdothat" off \ NEON "WebDAV/Delta-V repo access module (neon)" on \ SERF "WebDAV/Delta-V repo access module (serf)" off \ SASL "SASL2 authorization support" off \ @@ -103,6 +104,13 @@ @${ECHO_MSG} "the ${APACHE_PORT} port, rather than the devel/apr port." .endif @${ECHO_MSG} "" +.if defined(WITH_MOD_DONTDOTHAT) + @${ECHO_MSG} "mod_dontdothat module for Apache 2.X enabled." + @${ECHO_MSG} "This option implies the WITH_MOD_DAV_SVN option." +.else + @${ECHO_MSG} "You can enable the mod_dontdothat module for Apache 2.X" +.endif + @${ECHO_MSG} "" .if defined(WITH_SVNSERVE_WRAPPER) @${ECHO_MSG} "svnserve wrapper enabled." @${ECHO_MSG} "" @@ -160,6 +168,13 @@ pre-install: ${APXS} -e -S LIBEXECDIR=${PREFIX}/${APACHEMODDIR} -a -n dav ${PREFIX}/${APACHEMODDIR}/mod_dav.so ${APXS} -e -S LIBEXECDIR=${PREFIX}/${APACHEMODDIR} -a -n authz_svn ${PREFIX}/${APACHEMODDIR}/mod_authz_svn.so +.if defined(WITH_MOD_DONTDOTHAT) + cd ${WRKSRC}/contrib/server-side/mod_dontdothat && \ + ${APXS} -c -I${WRKSRC}/subversion/include -L${WRKSRC}/subversion/libsvn_subr/.libs -lsvn_subr-1 mod_dontdothat.c && \ + ${APXS} -e -S LIBEXECDIR=${PREFIX}/${APACHEMODDIR} -a -n dontdothat ${PREFIX}/${APACHEMODDIR}/mod_dontdothat.so + cd ${WRKSRC}/contrib/server-side/mod_dontdothat && \ + ${APXS} -i -n dontdothat mod_dontdothat.la +.endif .endif post-install: ${MKREPOS_TARGET} --- Makefile.common +++ Makefile.common @@ -60,6 +60,14 @@ PLIST_SUB+= BDB="@comment " .endif +.if defined(WITH_MOD_DONTDOTHAT) +WITH_MOD_DAV_SVN= yes +PLIST_SUB+= MOD_DONTDOTHAT="" +.else +PLIST_SUB+= MOD_DONTDOTHAT="@comment " +PKGDEINSTALL= NONEXISTENT +.endif + .if defined(WITH_MOD_DAV_SVN) WITH_APACHE2_APR= yes CONFIGURE_ARGS+= --with-apxs=${APXS} --- pkg-deinstall +++ pkg-deinstall @@ -49,9 +49,11 @@ awk '{if (!/^LoadModule dav_svn_module/ && !/^AddModule mod_dav_svn.c/ &&\ !/^LoadModule authz_svn_module/ &&\ - !/^AddModule mod_authz_svn.c/ ) \ + !/^AddModule mod_authz_svn.c/ &&\ + !/^LoadModule dontdothat_module/ &&\ + !/^AddModule mod_dontdothat.c/ ) \ print $0}' < ${confdir}/$i > ${tmpdir}/$i - echo Removing dav_svn_module and authz_svn_module from $i in config dir: ${confdir} + echo Removing dav_svn_module, authz_svn_module and dontdothat_module from $i in config dir: ${confdir} cat ${tmpdir}/$i > ${confdir}/$i done --- pkg-plist +++ pkg-plist @@ -291,6 +291,8 @@ %%MOD_DAV_SVN%%%%APACHEMODDIR%%/mod_authz_svn.so %%MOD_DAV_SVN%%@exec %D/sbin/apxs -e -S LIBEXECDIR=%D/%%APACHEMODDIR%% -a -n dav libexec/%%APACHEDIR%%/mod_dav.so %%MOD_DAV_SVN%%@exec %D/sbin/apxs -e -S LIBEXECDIR=%D/%%APACHEMODDIR%% -a -n dav_svn libexec/%%APACHEDIR%%/mod_dav_svn.so +%%MOD_DONTDOTHAT%%%%APACHEMODDIR%%/mod_dontdothat.so +%%MOD_DONTDOTHAT%%@exec %D/sbin/apxs -e -S LIBEXECDIR=%D/%%APACHEMODDIR%% -a -n dontdothat libexec/%%APACHEDIR%%/mod_dontdothat.so %%PORTDOCS%%%%BOOK%%@dirrm %%DOCSDIR%%/svn-book-html/images %%PORTDOCS%%%%BOOK%%@dirrm %%DOCSDIR%%/svn-book-html %%PORTDOCS%%@dirrm %%DOCSDIR%% >Release-Note: >Audit-Trail: >Unformatted: