[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: Revision dates in URLs

From: Jonathan Gilbert <o2w9gs702_at_sneakemail.com>
Date: 2006-08-29 16:44:29 CEST

At 02:22 PM 28/08/2006 -0400, C. Michael Pilato wrote:
>Nilton Volpato wrote:
>> Index: subversion/libsvn_subr/opt.c
>> ===================================================================
>> --- subversion/libsvn_subr/opt.c (revision 21264)
>> +++ subversion/libsvn_subr/opt.c (working copy)
>> @@ -730,9 +730,24 @@
>> }
>> else /* looking at non-empty peg revision */
>> {
>> + char *rev = path + i + 1;
>> + int rev_len = strlen(rev);
>> + char *unescaped_rev;
>> +
>> + /* if rev.startswith('%7B') and rev.endswith('%7D') */
>> + if ( rev[0] == '%' && rev[1] == '7' && rev[2] == 'B' &&
>> + rev[rev_len-3] == '%' && rev[rev_len-2] == '7' &&
>> + rev[rev_len-1] == 'D' ) {
>
>Eek! There's no bounds-checking, so the patch can read off either end
>of the string. Remember, not all input to this function is URI-escaped
>URLs -- could be regular ol' system paths, which quite possibly can be
>named just "%".

Actually, if you look closely, this code is very clever:

- If the string is 0 bytes long, then "rev[0] == '%'" will fail, and none
of the other checks will run.
- If the string is 1 byte long, then "rev[1] == '7'" will fail, and none of
the other checks will run.
- If the string is 2 bytes long, then "rev[2] == 'B'" will fail, and none
of the other checks will run.
- Therefore, if you actually make it to the "rev[rev_len - 3] == '%'"
check, you know that rev_len is at least 3.

There would be a small issue if it were, say, a quote character being
checked, such that the start & end character would be the same and a string
with only one character would pass both the starts-with and ends-with
tests, but since the left brace ends in 'B' and the right brace ends in
'D', a string fewer than 6 bytes will never pass this test.

Jonathan Gilbert

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Received on Tue Aug 29 17:23:19 2006

This is an archived mail posted to the Subversion Dev mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.