Typo in comment

SECURITY: CVE-2013-6438 (cve.mitre.org) mod_dav: Keep track of length of cdata properly when removing leading spaces. * modules/dav/main/util.c (dav_xml_get_cdata): reduce len variable when increasing cdata pointer. Submitted by: Amin Tora <Amin.Tora neustar.biz>

mod_dav: Fix PR 55306. Makes mod_dav no longer require that the lock token be provided when the source of a COPY is locked. The prior behavior was in violating of RFC 4918 which says that the lock token is only required on resources that may be modified by the method. * modules/dav/main/mod_dav.h (DAV_VALIDATE_NO_MODIFY): New flag to be passed to dav_validate_* functions. * modules/dav/main/mod_dav.c (dav_method_copymove): Use the new flag when calling dav_validate_request() on the COPY source. * modules/dav/main/util.c (dav_validate_resource_state): Use the flag to decide to ignore if the lock token is not provided.

Fix indentation (plus now needed line-wrap). Followup to r1470940.

mod_dav: Make sure the URI length is calculated correctly.

mod_dav: Make sure that when we prepare an If URL for Etag comparison, we compare unencoded paths. PR 53910 Patch submitted by Timothy Wood <tjw omnigroup com> Tested by William Lewis <wiml omnigroup com>

mod_dav: Improve error handling in dav_method_put(), add new dav_join_error() function. PR: 54145 Submitted by: Ben Reser <ben reser.org> Reviewed by: trawick

[Test] First try : remove extra ';'

Cleanup effort in prep for GA push: Trim trailing whitespace... no func change

CVE-2010-1452: Fix handling of missing path segments in the parsed URI structure. If a specially crafted request was sent, it is possible to crash mod_dav, mod_cache or mod_session, as they accessed a field that is set to NULL by the URI parser, assuming that it always put in a valid string. PR: 49246 Submitted by: Mark Drayton Patch by: Jeff Trawick

Remove errno from dav_error interface. Calls to dav_new_error() and dav_new_error_tag() must be adjusted to add an apr_status_t parameter. Reviewed by: jorton

* Avoid SEGFAULT as hooks->set_headers can be NULL. Furthermore do not set the ETag header permanently as setting it may not be desired for all responses. Submitted by: niq, rpluem

* Style police. No functional changes.

mod_dav: Fix evaluation of If-Match * and If-None-Match * conditionals. PR 38034 Patch by Paritosh Shah Explanation by Werner Baumann

update license header text

Update the copyright year in all .c, .h and .xml files

No functional Change: Removing trailing whitespace. This also means that "blank" lines consisting of just spaces or tabs are now really blank lines

Fix handling of unknown state tokens in If headers: * modules/dav/main/mod_dav.h: Add dav_if_unknown to dav_if_state_type enum. * modules/dav/main/util.c (dav_add_if_state): Set returned type to dav_if_unknown for an unknown state token. (dav_validate_resource_state): Evaluate dav_if_unknown to fail match unless in a Not condition. PR: 37288

* modules/dav/main/mod_dav.h: Wrap all public functions in DAV_DECLARE or DAV_DECLARE_NONSTD. * modules/dav/main/liveprop.c, modules/dav/main/props.c, modules/dav/main/util_lock.c, modules/dav/main/mod_dav.c, modules/dav/main/std_liveprop.c, modules/dav/main/util.c: Update function definitions. Submitted by: Branko Čibej <brane xbc.nu> Reviewed by: Justin Erenkrantz

Update copyright year to 2005 and standardize on current copyright owner line.

FINALLY Correct ap_http_method()! It is NOT a method, it's a SCHEME! Bumped mmn, and ap module cookie, for this function rename. It's not a deprecation, as ap_http_method would be a lovely function name sometime in the future: to determine what the function name implies.

Forward-port from mod_dav 1.0: * modules/dav/main/util.c (dav_validate_resource_state): Fix a 2617 violation: if the lock user validation fails, rather than giving a 401 without a WWW-Authenticate header, give a 403.

fix name of The Apache Software Foundation

apply Apache License, version 2.0

update license to 2004.

stop using apr_sockaddr_port_get() accessor function, as it will disappear from APR 1.0 API shortly

* modules/dav/main/util.c (dav_validate_resource_state): Simplify weak etag comparison to avoid unnecessary tests and pstrdup calls.

Fix a typo in the weak entity check. The prefix is W/" not "W/.

finished that boring job: update license to 2003. Happy New Year! ;-))

fix misuse of const in a recent commit warnings with recent gcc compile break with native compiler for AIX

Allow mod_dav to do weak entity comparison function rather than a strong entity comparison function. (i.e. it will optionally strip the W/ prefix.) PR: 14921 (kinda, but not really)

Fix If header parsing when a non-mod_dav lock token is passed to it. We'll now just skip over it rather than aborting. PR: 16452

When unlocking, the auto-checkin code does not need to refer to the parent resource. We want to (possibly) check in only the resource identified by the params. Bug found by David Waite <mass@akuma.org>

Detabbify. With extreme prejudice.

Continue the Bill Rowe apr_size_t crusade.

Renames Pending: This clears the list of renames pending in apr-util. Parts of this list was alreadu done, but the pending list hadn't been updated. apr_hook_debug_current from apr_current_hooking_module apr_hook_debug_show from apr_show_hook apr_hook_global_pool from apr_global_hook_pool apr_hook_sort_all from apr_sort_hooks apr_uri_port_of_scheme from apr_uri_default_port_for_scheme apr_uri_unparse from apr_uri_unparse_components apr_uri_parse from apr_uri_parse_components apr_uri_parse_hostinfo from apr_uri_parse_hostinfo_components apr_uri_t from apr_uri_components All APR_URI_* from all APU_URI_* symbols All APR_UNP_* from all UNP_* symbols PR: Obtained from: Submitted by: Thom May Reviewed by:

The real pain. ap->apr xml and text types.

Update our copyright for this year.

Give mod_dav the ability to output both standard and customized <D:error> responses. It's crucial for marshalling svn error messages back over to the client; and someday it will be needed to return specific <DAV:> errors as dictated by the DeltaV spec. * mod_dav.h (dav_error): add two new fields -- an optional error namespace, and an error-tag-name. Remove the 'delayed computation' function and cxt ptrs in this struct; they were never used. (dav_new_error_tag): new alternative constructor that takes new fields. * util.c (dav_new_error_tag): implement constructor. * mod_dav.c (dav_error_response_tag): new function to output 'standard' xml error response based on error struct. (dav_handle_err): if no multistatus response is passed in, and if an error-tag is defined, then call our new xml-output routine. Submitted by: Ben Collins-Sussman <sussman@collab.net>

dav_xml_get_cdata() is an exported function, so mark it as such with the DAV_DECLARE macro. [ Barry Pederson <barryp@yahoo.com> ] Apache's handling of ports is broken. Temporarily disable the port checking in the Destination: header. [ Greg Stein ]

Need to store the pool into the xmlns structure.

Add an opaque datatype for managing a set of XML namespace declarations. Part of an upcoming propdb API improvement.

adjust to apr_uri_ rename

adjust to UNP_ -> APR_URI_UNP_ rename

Moved util_uri to apr-util/uri/apr_uri, which means adding the apr_ prefix to all of the uri functions (yuck), changing some includes, and using APR error codes instead of HTTP-specific error codes. Other notes to test this patch: - You need to delete the util_uri.h file - exports picks up on this. - I'd like to remove the apr_uri.h from httpd.h, but that might increase the complexity of this patch even further. Once this patch is accepted (in some form), then I can focus on removing apr_uri.h from httpd.h entirely. I need baby steps (heh) right now. - I imagine that this might break a bunch of stuff in Win32 or other OS builds with foreign dependency files. Any help here is appreciated. This is a start... -- justin Submitted by: Justin Erenkrantz Reviewed by: Roy Fielding

Initialize a local variable to prevent a gcc warning about possible use before set. The code was fine but it is best to keep gcc quiet lest we stop paying attention.

fast-path some cases, primarily to avoid an allocation when it isn't needed. for a "nice" piece of cdata which is in one chunk, this can usually avoid an allocation.

allow non-absolute URIs to occur in some of the requests. RFC 2518 states that the Destination: header (used in MOVE/COPY) must be an absolute URI, so it keeps that constraint.

Fix up the auto-versioning stuff. The new scheme more closely matches the intent of DeltaV draft 14, simplifying some previous assumptions. Includes some heavy fixes to MOVE/COPY in a versioning world. Fix to CHECKOUT when a working resource is not created (checkout in place) Submitted by: John Vasta <jvasta@rational.com>

Backing my earlier change out; There exists the possibility for ap_parse_uri_components to not fill in the port field in certain cases, i.e. wherein the uri begins with /

Since ap_parse_uri_components() now guarantees port will be filled in, this is no longer needed in dav.

Patch to sync with some changes to mod_dav 1.1: *) revamp the set_target stuff -- latest draft calls this UPDATE *) update the CHECKIN method handling *) liveprop providers can catch/define "core" properties before the core gets a chance. Submitted by: John Vasta <jvasta@rational.com> Reviewed by: Greg Stein

*) mod_dav.c: allow PUT to a WORKING resource (this actually the only valid place to do a PUT(!)) *) util.c: add a comment. allow validation to proceed without a lock database (the rest of the code supported it; one erroneous check disabled that work) *) util_lock.c: allow dav_unlock() to be a no-op when a lock provide isn't present; this allows DELETE to work.

include apr_lib.h for apr_isspace() definition

Update copyright to 2001

Clean up some of the includes: - explicitly include apr_lib.h since ap_config.h doesn't - use apr_want.h where possible - use APR_HAVE_ where possible - remove some unneeded includes

renaming various functions for consistency sake see: http://apr.apache.org/~dougm/apr_rename.pl PR: Obtained from: Submitted by: Reviewed by:

Revamp the CHECKOUT method handling and various support functions for it. Basically, the original CHECKOUT was based on a really old draft of the DeltaV specification. This brings it up to date. *) get_resource hook now takes an optional label name and/or a flag on whether to use the DAV:checked-in property; if either one is provided, then a version resource is looked up and returned. WARNING: the parameter types are now the same, but have very different semantics. this means you won't get a compile error to figure out that something needs to be changed here. *) mod_dav.c::dav_get_resource no longer cahces the fetched resource in the request userdata. Some requests will call this function multiple times, for different resources -- we don't want to keep returning the same resource (no idea how this ended up working). *) dav_get_resource()'s parameters have been updated. target_allowed is old terminology; it is now label_allowed. The target paramter is obsoleted by the simple use_checked_in flag. *) dav_get_target_selector() is obsolete. XML element processing is done within the CHECKOUT method (i.e. only where it occurs). The other half of the old function was to simply fetch the Label: header. *) DAV_TARGET_SELECTOR_HDR is now DAV_LABEL_HDR *) dav_method_checkout() now processes all the various options for a CHECKOUT method and either modifies the initial resource lookup, or passes the data to the checkout hook function. *) the checkout hook grew a bunch of new parameters *) new utility function: dav_xml_get_cdata() to gather up all the CDATA from an XML element. this is used to extract DAV:href values. (probably move to util_xml.c at some point)

Provide a way to allow get_resource and get_parent_resource to return errors that might occur during the parsing of the URI and/or the lookup of the resource in the repository. Specifically: return a dav_error* and move the returned dav_resource* to an "out" parameter of the hook function.

The local_addr and remote_addr fields in the conn_rec are now apr_sockaddr_t * instead of sockaddr_in. This is a small step towards IPv6 support.

*) fix subtle crasher in COPY method *) update sub-request-creation calls to include new "next filter" arg

Apply a patch from John Vasta for adding (some/more) DeltaV support to mod_dav. The patch applied and compiled cleanly, so I'm committing. Any necessary changes from a review will come later, so that we can easily track what needed to change (and can be back-ported to mod_dav 1.1). Submitted by: John Vasta <jvasta@rational.com>

final round of walker cleanup: fix the provider API to match what is Right.

first round whack at cleaning up the walker interface

Here it is, mod_dav should build quite nicely on Win32 (two last mild warnings to contend with.)

forward-port John Vasta's checkin to mod_dav 1.1.x (on Sep 25, 2000). this begins some work to upgrade the versioning support to some of the more recent drafts. - get_resource hook has new params - create_collection hook no longer takes a pool - new dav_auto_version_info structure to group up autoversion rollback/commit handling data - new functions for getting workspace, target-selector, etc - supportedlock hook now takes the resource in question (since different resources may have different locks) - new resource types; tweaks in props.c to support them - some tweaks with resource creation, Location header, etc.

update the WebDAV versioning support: - recognize and dispatch the latest set of DeltaV methods - refine the CHECKOUT provider hook - add avail_reports provider hook - fix the "target" resolution mechanism

Updated patch to fix compile warnings from not including apr_strings.h Submitted by: Joe Orton <joe@orton.demon.co.uk> Reviewed by: Bill Stoddard

prefix libapr functions and types with apr_

Add APR_EOL_STR for a platform specific text delimiter, provided by apr.h (defined in apr.h.in and apr.hw). This is needed -only- in APR created files (true raw files) such as logs. It is not required in any splat to screen (stderr/stdout) formatting, nor any html markup. Some other modules slipped through in the prior apr_strings.h commit. Sorry 'bout that. PR: Obtained from: Submitted by: Reviewed by:

Joe Orton writes: This updates mod_dav for the util_xml changes posted previously: * dav_xml -> ap_xml, and dav_text -> ap_text renaming * Add 'dav_elem_private' to hook mod_dav-specific info up to the parsed XML tree. Initialize this in several places, I think I got all necessary? [gjs: yes, you did] * Removal of the old "gross_hack", and all the XML code that was moved into util_xml Submitted by: Joe Orton <joe@orton.demon.co.uk> Reviewed by: Greg Stein

misc const cleanups and others issues found using maintainer-mode (initial errors found by Ryan Bloom). also switch to use new command table initializer macros.

get the DAV stuff to compile for Apache 2.0. some unpleasantries are in there, but it *does* compile.

first, obvious step: alter the license/copyright on all mod_dav files.

initial checkin of the new Apache DAV code. this is a pristine copy of mod_dav 1.0.1 (tag "V1_0_1" in the mod_dav CVS repository). For historical information about these files, see the (old) mod_dav web site at http://www.webdav.org/mod_dav/. CVS repository information can be located from those pages.