Here's a patch to svnserve to prevent accesses below the path given by
the '-r' option on command-line.
Should the apr_filepath_merge be called directly, or should a new
function be made for this in libsvn_subr?
No log message, I can commit this myself when it's finished.
-- Naked
Patch:
Index: subversion/svnserve/serve.c
===================================================================
--- subversion/svnserve/serve.c (revision 4068)
+++ subversion/svnserve/serve.c (working copy)
@@ -25,6 +25,7 @@
#include <apr_strings.h>
#include <apr_network_io.h>
#include <apr_user.h>
+#include <apr_file_info.h>
#include <svn_types.h>
#include <svn_string.h>
@@ -841,7 +842,9 @@
const char **fs_path, apr_pool_t *pool)
{
svn_error_t *err;
+ apr_status_t apr_err;
const char *client_path, *full_path, *candidate;
+ char *buffer;
/* Decode any escaped characters in the URL. */
url = svn_path_uri_decode(url, pool);
@@ -856,9 +859,17 @@
client_path = (client_path == NULL) ? "" : client_path + 1;
/* Join the server-configured root with the client path. */
- full_path = svn_path_join(svn_path_canonicalize(root, pool),
- svn_path_canonicalize(client_path, pool),
- pool);
+ apr_err = apr_filepath_merge(&buffer,
+ svn_path_canonicalize(root, pool),
+ svn_path_canonicalize(client_path, pool),
+ APR_FILEPATH_SECUREROOT,
+ pool);
+
+ if(apr_err)
+ return svn_error_create(SVN_ERR_BAD_FILENAME, apr_err, NULL,
+ "Couldn't determine repository path.");
+
+ full_path = svn_path_canonicalize(buffer, pool);
/* Search for a repository in the full path. */
candidate = full_path;
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Received on Mon Dec 9 18:16:59 2002