On Fri, Nov 14, 2008 at 2:32 PM, jehan procaccia
<jehan.procaccia_at_it-sudparis.eu> wrote:
> Well, I understand that it won't be an easy task .
> I like this one:
> "Can't you just svnlook cat -t each file?"
> if you have a complete command sample with a pipe to clamav , that would
> same me hours searching how to do it ;-) .
We don't actually do the scanning (we use clamd for something else
entirely), but the extraction piece is basically
* start with the pre-commit example
* $SVNLOOK changed -t "$TXN" "$REPOS" | cut -c5-
to get a list of changed files
* TMPDIR=$(mktemp -d)
to get a place to work
* $SVNLOOK cat "$REPOS" -t "$TXN" "$JAMPATH" > Jamfile
except using the paths from the svnlook above, and instead of >
Jamfile, use a name for a tempfile, and then run "clamdscan
tempfile"... if you did a "set -e" in the script earlier, it'll exit
the whole thing with failure immediately, and the user will get the
stderr output spit back at them...
>
> The alternative of checking-out a dedicated Working Copy for scanning it
> with a windows antivirus and then commit back on the server repository only
> clean files seems ok to me, but what should I do with eventual infected
> files ? hopefully the antivirus would remove the virus from the infected
> file, and then I force a commit on it ? but how ? I have to do a small
> change in it so that it get a newer revision ?
>
> Thanks .
>
> Andy Levy a écrit :
>>
>> On Fri, Nov 14, 2008 at 13:19, Bob Archer <Bob.Archer_at_amsi.com> wrote:
>>
>>>
>>> Can't you create pre-commit scripts client side to do something like
>>> this?
>>>
>>
>> Depends on what "this" is.
>>
>> To scan the file contents before they go into the repository, you'd
>> have to maintain a WC on the server for the whole repository (or
>> perform a checkout or export) and apply the diff to that WC, then run
>> the virus scan & check the results.
>>
>>
>>>
>>> -----Original Message-----
>>> From: Andy Levy [mailto:andy.levy_at_gmail.com]
>>> Sent: Friday, November 14, 2008 1:14 PM
>>> To: jehan.procaccia_at_it-sudparis.eu
>>> Cc: users_at_subversion.tigris.org
>>> Subject: Re: scan repository for viruses
>>>
>>> On Fri, Nov 14, 2008 at 13:01, jehan procaccia
>>> <jehan.procaccia_at_it-sudparis.eu> wrote:
>>>
>>>>
>>>> hello,
>>>>
>>>> I know that some users commit files containing viruses :-(
>>>> how can I check/scan a svn repository for viruses before the they are
>>>>
>>>
>>> spread
>>>
>>>>
>>>> on all clients updating their local files ?
>>>>
>>>> I know that real files /revisions are located in db/revs subdir (ei
>>>> /svn/repos/Test-repo/db/revs), but then it's only index filenames ...
>>>> is their a way to scan a repository on the server ?
>>>>
>>>> PS: I use subversion-1.4.2-2.el5 on Centos 5.2 , btw, do you recommend
>>>>
>>>
>>> an
>>>
>>>>
>>>> anti-virus under linux ?
>>>>
>>>
>>> Even when whole versions of the files are stored, I believe they're
>>> stored compressed. You'll have to check out each revision of the
>>> repository and scan incrementally.
>>>
>>> But what will you do once you've found the files? Remove them with
>>> svnadmin dump/svndumpfilter/svnadmin load?
>>>
>>> Won't the antivirus on the desktops protect those desktops when they
>>> perform a checkout? How did these infected files even get into the
>>> repository in the first place? You may fix the problem "today" but
>>> unless measures are in place, you could find yourself back in this
>>> same position next week.
>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: users-unsubscribe_at_subversion.tigris.org
>>> For additional commands, e-mail: users-help_at_subversion.tigris.org
>>>
>>>
>>>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe_at_subversion.tigris.org
> For additional commands, e-mail: users-help_at_subversion.tigris.org
>
>
--
_Mark_ <eichin_at_thok.org> <eichin_at_gmail.com>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe_at_subversion.tigris.org
For additional commands, e-mail: users-help_at_subversion.tigris.org
Received on 2008-11-14 22:36:51 CET