[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: [PATCH] HTTPv2 allow client to control transaction name in protocol

From: Philip Martin <philip.martin_at_wandisco.com>
Date: Tue, 01 Mar 2011 18:12:27 +0000

"C. Michael Pilato" <cmpilato_at_collab.net> writes:

> Just a thought: Have you considered expanding the scope of the private
> resource space rather than using the magic prefix hack? You could add
> ".../!svn/vtxn/UUID" and ".../!svn/vtxr/UUID/..." to be alternate ways to
> address transactions and transaction roots (the "v" there being a shortcut
> for "virtual"). This is *effectively* the same approach as yours -- there's
> a different prefix here. But the prefix is a clearly defined piece of the
> protocol, not just some magic bit buried in mod_dav_svn's codebase.

I'll have a think about that. One aim is that the proxy can be as dumb
as possible about the Subversion protocol, so that it doesn't have to
rewrite all commit requests. If the client doesn't send the vtxn/vtxr
URLs the proxy has to do more work.

Another thing about exposing the transaction name in the protocol is
that it is much more predictable than a UUID. Temporary files with
predictable names can be a security issue, are predictable transaction
names a security issue?

Could a malicious client guess a transaction name and make changes that
would subsequently be committed by the transaction "owner"? I think
auth checks happen when writing to the transaction, so the malicious
client can only make changes that would be allowed by auth.

However the pre/post-commit hooks only run at commit (http MERGE), so
the malicious clients changes would go through these with the
transaction owners credentials.

-- 
Philip
Received on 2011-03-01 19:13:07 CET

This is an archived mail posted to the Subversion Dev mailing list.