MESSAGE
| DATE | 2024-02-18 |
| FROM | Joe Schaefer
|
| SUBJECT | Subject: [Hangout - NYLXS] HTTPd Devs Considered Harmful to Apache2::Request
|
From hangout-bounces-at-nylxs.com Sun Feb 18 23:47:15 2024
Return-Path:
X-Original-To: archive-at-mrbrklyn.com
Delivered-To: archive-at-mrbrklyn.com
Received: from www2.mrbrklyn.com (www2.mrbrklyn.com [96.57.23.82])
by mrbrklyn.com (Postfix) with ESMTP id C93BD1640DA;
Sun, 18 Feb 2024 23:47:13 -0500 (EST)
X-Original-To: hangout-at-www2.mrbrklyn.com
Delivered-To: hangout-at-www2.mrbrklyn.com
Received: by mrbrklyn.com (Postfix, from userid 1000)
id 110191640BD; Sun, 18 Feb 2024 23:45:59 -0500 (EST)
Resent-From: Ruben Safir
Resent-Date: Sun, 18 Feb 2024 23:45:58 -0500
Resent-Message-ID: <20240219044558.GI20445-at-www2.mrbrklyn.com>
Resent-To: hangout-at-mrbrklyn.com
X-Original-To: ruben-at-mrbrklyn.com
Delivered-To: ruben-at-mrbrklyn.com
Received: from mxout1-he-de.apache.org (mxout1-he-de.apache.org
[95.216.194.37])
(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
(Client CN "*.apache.org",
Issuer "Sectigo RSA Domain Validation Secure Server CA" (not verified))
by mrbrklyn.com (Postfix) with ESMTPS id F211A1640A3
for ; Sun, 18 Feb 2024 13:58:45 -0500 (EST)
Received: from mail.apache.org (mailgw-he-de.apache.org
[IPv6:2a01:4f8:c2c:d4aa::1])
(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
(No client certificate requested)
by mxout1-he-de.apache.org (ASF Mail Server at mxout1-he-de.apache.org) with
ESMTPS id AACF064939
for ; Sun, 18 Feb 2024 18:58:43 +0000 (UTC)
Received: (qmail 1276484 invoked by uid 998); 18 Feb 2024 18:58:37 -0000
Mailing-List: contact modperl-help-at-perl.apache.org; run by ezmlm
Precedence: bulk
Delivered-To: mailing list modperl-at-perl.apache.org
Received: (qmail 1276471 invoked by uid 116); 18 Feb 2024 18:58:36 -0000
Received: from spamproc1-he-de.apache.org (HELO spamproc1-he-de.apache.org)
(116.203.196.100)
by apache.org (qpsmtpd/0.94) with ESMTP; Sun, 18 Feb 2024 18:58:36 +0000
Authentication-Results: apache.org; auth=none
Received: from localhost (localhost [127.0.0.1])
by spamproc1-he-de.apache.org (ASF Mail Server at spamproc1-he-de.apache.org)
with ESMTP id 6D3971FFCAB
for ; Sun, 18 Feb 2024 18:58:36 +0000 (UTC)
X-Virus-Scanned: Debian amavisd-new at spamproc1-he-de.apache.org
X-Spam-Flag: NO
X-Spam-Score: -5
X-Spam-Level:
X-Spam-Status: No, score=-5 tagged_above=-999 required=6.31
tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1,
DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.2, RCVD_IN_DNSWL_HI=-5,
SPF_PASS=-0.001, T_REMOTE_IMAGE=0.01, T_SCC_BODY_TEXT_LINE=-0.01,
URIBL_BLOCKED=0.001] autolearn=disabled
Authentication-Results: spamproc1-he-de.apache.org (amavisd-new);
dkim=pass (2048-bit key) header.d=sunstarsys.com
Received: from mx1-he-de.apache.org ([116.203.227.195])
by localhost (spamproc1-he-de.apache.org [116.203.196.100]) (amavisd-new,
port 10024) with ESMTP id 1i0MxEf6RQTv for ;
Sun, 18 Feb 2024 18:58:35 +0000 (UTC)
Received-SPF: Pass (mailfrom) identity=mailfrom;
client-ip=2607:f8b0:4864:20::c30; helo=mail-oo1-xc30.google.com;
envelope-from=joe-at-sunstarsys.com; receiver=
Received: from mail-oo1-xc30.google.com (mail-oo1-xc30.google.com
[IPv6:2607:f8b0:4864:20::c30])
by mx1-he-de.apache.org (ASF Mail Server at mx1-he-de.apache.org) with ESMTPS
id BC88B7E61A
for ; Sun, 18 Feb 2024 18:58:35 +0000 (UTC)
Received: by mail-oo1-xc30.google.com with SMTP id
006d021491bc7-59fca9dc69eso483711eaf.1
for ; Sun, 18 Feb 2024 10:58:35 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=sunstarsys.com; s=google; t=1708282708; x=1708887508; darn=perl.apache.org;
h=to:subject:message-id:date:from:mime-version:from:to:cc:subject
:date:message-id:reply-to;
bh=evCGpQcAtquaAfFI8WpSXwDfr6gkcjasc81YNer8uAY=;
b=goWCxadivWMcp3RW0p9AdU6FItrRmqt89t/GqBC/gFXVre9GXN4mv7NV69eZdPAcWO
4dzz04I+Wh6unbp1O13WLX9RJYOHJWtGoLLkdH0EzPh7GX43UPN3ENgsolXTfH0kjslb
Xu8zWBRaBL8bYet2jJ9zsCVcIdt7pH7rzuMWk9V45LcZjFc3gwqyC1UW+MYxB1Ab6BHo
LkWzeLQTvrBCwKpSQH7fpZP0QsVxyCFrU9OkpkXlHZQCqYrCvXMClXvv9XYu0RQq7aVD
uuelbPvBc1NXB1QWmkS+0vQxZVXxY9G6Nair5uur9cC2cPHpf3Yj/Cq3dzU1FiQz1U6x
SElQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=1e100.net; s=20230601; t=1708282708; x=1708887508;
h=to:subject:message-id:date:from:mime-version:x-gm-message-state
:from:to:cc:subject:date:message-id:reply-to;
bh=evCGpQcAtquaAfFI8WpSXwDfr6gkcjasc81YNer8uAY=;
b=QT67KJZrqvg9ARcwN7taBRP1XNC1sbSIUWCTRUGxd1X5ljOqwxcjWyoEZ3OCOJsWcb
feayKVFuEV7Rl1tN7109GO9D816/scalOdKGj10kdQQg0Xm/EsrIR19pRmGF+45H5hMV
wLsvZtU+Z4JqZj22Nh0I4n/lMyogb0CrwV0jWEFi3wSkPnV+86A8mjirwwLaAZlxncAX
0sdRpYclsfk+R/fk4w7ZGIG255jHUwSKGQcqf4ZBpXfDQNtko0mn9JnVUMELbSTHzxcs
1yTTPLhjVFevMYnLyi2df2dfKKvxqhfAmsF/QFkeAfwrm/VFi3xKqefmTjf0rdWMdzHi
dbCA==
X-Gm-Message-State: AOJu0YyDgi7f9z0zscBudJPtRwzjn5pqJSOWDGS/rhI0c07heNEH8Et8
LnmhfmBX3XMIg2X66x5ckmVc4OXvu4vgKviD0i2uaE89PPaXIUnJy90r0xxKDzX2kMuVuKdNT5i
NC+Iyri4DYjnrjh78gE0G95SildrrLX8jsL9YKgmaxpl3FkqCI/f5Kw==
X-Google-Smtp-Source: AGHT+IG91axTkoCf7Ue7OOlKYhMPhlybLispFZBhu+WEuDKV+nfJyJC9/pIsOLrzUmO76n2qWd6l2c/HZFEvU4sUwp4=
X-Received: by 2002:a05:6358:706:b0:178:75f5:33e6 with SMTP id
e6-20020a056358070600b0017875f533e6mr10459455rwj.19.1708282707552; Sun, 18
Feb 2024 10:58:27 -0800 (PST)
MIME-Version: 1.0
From: Joe Schaefer
Date: Sun, 18 Feb 2024 13:58:17 -0500
Message-ID:
To: mod_perl list
Subject: [Hangout - NYLXS] HTTPd Devs Considered Harmful to Apache2::Request
users
X-BeenThere: hangout-at-nylxs.com
X-Mailman-Version: 2.1.30rc1
List-Id: NYLXS Tech Talk and Politics
List-Unsubscribe: ,
List-Archive:
List-Post:
List-Help:
List-Subscribe: ,
Content-Type: multipart/mixed; boundary="===============1253400941=="
Errors-To: hangout-bounces-at-nylxs.com
Sender: "Hangout"
--===============1253400941==
Content-Type: multipart/alternative; boundary="000000000000f5c1c30611ac8f21"
--000000000000f5c1c30611ac8f21
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
For the past 25 years, I have been the lead developer of the libapreq2
subproject within the Apache HTTPd Server Parent Project. The original idea
of libapreq as a safe/performant HTML form and Cookie parsing library came
out of a collaboration between Lincoln Stein and Doug MacEachern in the
late 90s.
It was my vision back then to transform the library into a generic,
non-Perl related C library that would support language bindings from other
programming languages, which is why I pushed for the project to be homes
under the HTTPd umbrella instead of the Apache-Perl project.
While this vision was wildly successful, with language bindings available
for several languages like Perl, TCL, R, etc, ever since about 2010 its
proven tragic for the existing user community consisting of all of them,
not just Perl.
What happened? Philip Gollucci, a Perl/FreeBSD olleague of mine at the
time, started agitating that we promote the project to be released from
inside the HTTPd server itself. What Philip didn=E2=80=99t know very well b=
ack then
was how utterly vapid and territorial that team had become, which would
have meant having to collaborate with them directly on user-facing
decisions about the code base.
In 2012, Philip got what he wanted and I stopped resisting, so he forked
the existing project and copied the C library components into HTTPd core.
In 2016 I resigned from the Foundation en masse. You can guess the reasons.
In 2020 or so, Google=E2=80=99s Security Team took advantage of an alpha re=
lease of
httpd 2.5 by fuzzing its 8 year old copy of apreq. It found a few hotspots
that needed repair.
Instead of having the courtesy of reaching out to me, or anyone else
involved in development of apreq, a junior engineer on the HTTPd team went
about the business of =E2=80=9Cbug fixing=E2=80=9D the vulnerabilities Goog=
le found. You
can see a record of his trial and error work in every release since then.
But the coup de grace was the 2022 release of 2.17, wherein the rookie
developer purposely introduced a fatal bug into the codebase, breaking a
fifteen year old regression test.
If you are wondering how something with a broken regression test winds up
on CPAN, you=E2=80=99ll have to look into how RELENG is done in the server =
project.
Long story short, they commented out the test and shipped it anyway, and
called it a Security Release that fixed a vulnerability every prior release
was susceptible to.
Why do I care now? Because I=E2=80=99m the sucker users reach out to for an=
swers as
a known subject matter expert.
This sucks, but I=E2=80=99m sorry to tell you that my days wearing the Supe=
rman
cape at Apache ended 8 years ago.
--=20
Joe Schaefer, Ph.D.
Orion - The Enterprise Jamstack Wiki >
954.253.3732
--000000000000f5c1c30611ac8f21
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Geneva,sans-serif;font-size:13.3333px;background-color:rgb(246,246,239)">Fo=
r the past 25 years, I have been the lead developer of the libapreq2 subpro=
ject within the Apache HTTPd Server Parent Project. The original idea of li=
bapreq as a safe/performant HTML form and Cookie parsing library came out o=
f a collaboration between Lincoln Stein and Doug MacEachern in the late 90s=
.serif;font-size:13.3333px;background-color:rgb(246,246,239)">It was my visi=
on back then to transform the library into a generic, non-Perl related C li=
brary that would support language bindings from other programming languages=
, which is why I pushed for the project to be homes under the HTTPd umbrell=
a instead of the Apache-Perl project. ;font-family:Verdana,Geneva,sans-serif;font-size:13.3333px;background-color=
:rgb(246,246,239)">While this vision was wildly successful, with language b=
indings available for several languages like Perl, TCL, R, etc, ever since =
about 2010 its proven tragic for the existing user community consisting of =
all of them, not just Perl. ly:Verdana,Geneva,sans-serif;font-size:13.3333px;background-color:rgb(246,2=
46,239)">What happened? Philip Gollucci, a Perl/FreeBSD olleague of mine at=
the time, started agitating that we promote the project to be released fro=
m inside the HTTPd server itself. What Philip didn=E2=80=99t know very well=
back then was how utterly vapid and territorial that team had become, whic=
h would have meant having to collaborate with them directly on user-facing =
decisions about the code base. amily:Verdana,Geneva,sans-serif;font-size:13.3333px;background-color:rgb(24=
6,246,239)">In 2012, Philip got what he wanted and I stopped resisting, so =
he forked the existing project and copied the C library components into HTT=
Pd core. ans-serif;font-size:13.3333px;background-color:rgb(246,246,239)">In 2016 I =
resigned from the Foundation en masse. You can guess the reasons. le=3D"color:rgb(130,130,130);font-family:Verdana,Geneva,sans-serif;font-siz=
e:13.3333px;background-color:rgb(246,246,239)">In 2020 or so, Google=E2=80=
=99s Security Team took advantage of an alpha release of httpd 2.5 by fuzzi=
ng its 8 year old copy of apreq. It found a few hotspots that needed repair=
. if;font-size:13.3333px;background-color:rgb(246,246,239)">Instead of having=
the courtesy of reaching out to me, or anyone else involved in development=
of apreq, a junior engineer on the HTTPd team went about the business of =
=E2=80=9Cbug fixing=E2=80=9D the vulnerabilities Google found. You can see =
a record of his trial and error work in every release since then. le=3D"color:rgb(130,130,130);font-family:Verdana,Geneva,sans-serif;font-siz=
e:13.3333px;background-color:rgb(246,246,239)">But the coup de grace was th=
e 2022 release of 2.17, wherein the rookie developer purposely introduced a=
fatal bug into the codebase, breaking a fifteen year old regression test.<=
/p> ;font-size:13.3333px;background-color:rgb(246,246,239)">If you are wonderin=
g how something with a broken regression test winds up on CPAN, you=E2=80=
=99ll have to look into how RELENG is done in the server project. le=3D"color:rgb(130,130,130);font-family:Verdana,Geneva,sans-serif;font-siz=
e:13.3333px;background-color:rgb(246,246,239)">Long story short, they comme=
nted out the test and shipped it anyway, and called it a Security Release t=
hat fixed a vulnerability every prior release was susceptible to. le=3D"color:rgb(130,130,130);font-family:Verdana,Geneva,sans-serif;font-siz=
e:13.3333px;background-color:rgb(246,246,239)">Why do I care now? Because I=
=E2=80=99m the sucker users reach out to for answers as a known subject mat=
ter expert. a,sans-serif;font-size:13.3333px;background-color:rgb(246,246,239)">This su=
cks, but I=E2=80=99m sorry to tell you that my days wearing the Superman ca=
pe at Apache ended 8 years ago.
ature_prefix">-- -smartmail=3D"gmail_signature"> --000000000000f5c1c30611ac8f21-- --===============1253400941== Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ Hangout mailing list Hangout-at-nylxs.com http://lists.mrbrklyn.com/mailman/listinfo/hangout --===============1253400941==-- --===============1253400941== Content-Type: multipart/alternative; boundary="000000000000f5c1c30611ac8f21" --000000000000f5c1c30611ac8f21 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable For the past 25 years, I have been the lead developer of the libapreq2 subproject within the Apache HTTPd Server Parent Project. The original idea of libapreq as a safe/performant HTML form and Cookie parsing library came out of a collaboration between Lincoln Stein and Doug MacEachern in the late 90s. It was my vision back then to transform the library into a generic, non-Perl related C library that would support language bindings from other programming languages, which is why I pushed for the project to be homes under the HTTPd umbrella instead of the Apache-Perl project. While this vision was wildly successful, with language bindings available for several languages like Perl, TCL, R, etc, ever since about 2010 its proven tragic for the existing user community consisting of all of them, not just Perl. What happened? Philip Gollucci, a Perl/FreeBSD olleague of mine at the time, started agitating that we promote the project to be released from inside the HTTPd server itself. What Philip didn=E2=80=99t know very well b= ack then was how utterly vapid and territorial that team had become, which would have meant having to collaborate with them directly on user-facing decisions about the code base. In 2012, Philip got what he wanted and I stopped resisting, so he forked the existing project and copied the C library components into HTTPd core. In 2016 I resigned from the Foundation en masse. You can guess the reasons. In 2020 or so, Google=E2=80=99s Security Team took advantage of an alpha re= lease of httpd 2.5 by fuzzing its 8 year old copy of apreq. It found a few hotspots that needed repair. Instead of having the courtesy of reaching out to me, or anyone else involved in development of apreq, a junior engineer on the HTTPd team went about the business of =E2=80=9Cbug fixing=E2=80=9D the vulnerabilities Goog= le found. You can see a record of his trial and error work in every release since then. But the coup de grace was the 2022 release of 2.17, wherein the rookie developer purposely introduced a fatal bug into the codebase, breaking a fifteen year old regression test. If you are wondering how something with a broken regression test winds up on CPAN, you=E2=80=99ll have to look into how RELENG is done in the server = project. Long story short, they commented out the test and shipped it anyway, and called it a Security Release that fixed a vulnerability every prior release was susceptible to. Why do I care now? Because I=E2=80=99m the sucker users reach out to for an= swers as a known subject matter expert. This sucks, but I=E2=80=99m sorry to tell you that my days wearing the Supe= rman cape at Apache ended 8 years ago. --=20 Joe Schaefer, Ph.D.
Orion - The Enterprise Jamstack Wiki >
954.253.3732
--000000000000f5c1c30611ac8f21
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Geneva,sans-serif;font-size:13.3333px;background-color:rgb(246,246,239)">Fo=
r the past 25 years, I have been the lead developer of the libapreq2 subpro=
ject within the Apache HTTPd Server Parent Project. The original idea of li=
bapreq as a safe/performant HTML form and Cookie parsing library came out o=
f a collaboration between Lincoln Stein and Doug MacEachern in the late 90s=
.serif;font-size:13.3333px;background-color:rgb(246,246,239)">It was my visi=
on back then to transform the library into a generic, non-Perl related C li=
brary that would support language bindings from other programming languages=
, which is why I pushed for the project to be homes under the HTTPd umbrell=
a instead of the Apache-Perl project. ;font-family:Verdana,Geneva,sans-serif;font-size:13.3333px;background-color=
:rgb(246,246,239)">While this vision was wildly successful, with language b=
indings available for several languages like Perl, TCL, R, etc, ever since =
about 2010 its proven tragic for the existing user community consisting of =
all of them, not just Perl. ly:Verdana,Geneva,sans-serif;font-size:13.3333px;background-color:rgb(246,2=
46,239)">What happened? Philip Gollucci, a Perl/FreeBSD olleague of mine at=
the time, started agitating that we promote the project to be released fro=
m inside the HTTPd server itself. What Philip didn=E2=80=99t know very well=
back then was how utterly vapid and territorial that team had become, whic=
h would have meant having to collaborate with them directly on user-facing =
decisions about the code base. amily:Verdana,Geneva,sans-serif;font-size:13.3333px;background-color:rgb(24=
6,246,239)">In 2012, Philip got what he wanted and I stopped resisting, so =
he forked the existing project and copied the C library components into HTT=
Pd core. ans-serif;font-size:13.3333px;background-color:rgb(246,246,239)">In 2016 I =
resigned from the Foundation en masse. You can guess the reasons. le=3D"color:rgb(130,130,130);font-family:Verdana,Geneva,sans-serif;font-siz=
e:13.3333px;background-color:rgb(246,246,239)">In 2020 or so, Google=E2=80=
=99s Security Team took advantage of an alpha release of httpd 2.5 by fuzzi=
ng its 8 year old copy of apreq. It found a few hotspots that needed repair=
. if;font-size:13.3333px;background-color:rgb(246,246,239)">Instead of having=
the courtesy of reaching out to me, or anyone else involved in development=
of apreq, a junior engineer on the HTTPd team went about the business of =
=E2=80=9Cbug fixing=E2=80=9D the vulnerabilities Google found. You can see =
a record of his trial and error work in every release since then. le=3D"color:rgb(130,130,130);font-family:Verdana,Geneva,sans-serif;font-siz=
e:13.3333px;background-color:rgb(246,246,239)">But the coup de grace was th=
e 2022 release of 2.17, wherein the rookie developer purposely introduced a=
fatal bug into the codebase, breaking a fifteen year old regression test.<=
/p> ;font-size:13.3333px;background-color:rgb(246,246,239)">If you are wonderin=
g how something with a broken regression test winds up on CPAN, you=E2=80=
=99ll have to look into how RELENG is done in the server project. le=3D"color:rgb(130,130,130);font-family:Verdana,Geneva,sans-serif;font-siz=
e:13.3333px;background-color:rgb(246,246,239)">Long story short, they comme=
nted out the test and shipped it anyway, and called it a Security Release t=
hat fixed a vulnerability every prior release was susceptible to. le=3D"color:rgb(130,130,130);font-family:Verdana,Geneva,sans-serif;font-siz=
e:13.3333px;background-color:rgb(246,246,239)">Why do I care now? Because I=
=E2=80=99m the sucker users reach out to for answers as a known subject mat=
ter expert. a,sans-serif;font-size:13.3333px;background-color:rgb(246,246,239)">This su=
cks, but I=E2=80=99m sorry to tell you that my days wearing the Superman ca=
pe at Apache ended 8 years ago.
ature_prefix">-- -smartmail=3D"gmail_signature"> --000000000000f5c1c30611ac8f21-- --===============1253400941== Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ Hangout mailing list Hangout-at-nylxs.com http://lists.mrbrklyn.com/mailman/listinfo/hangout --===============1253400941==-- |
|
![](3D"https://ci3.googleusercontent.com/mail-sig/AIorK4znBF_TAme6pCi=<BR)
av9cgwbIEHDJwyXb2f2Ymw0uY-9ZKx45P_KcsYtcI8RGqtr3HBrV6fAW1Hn4">