Re: ".svn" directory name no good (in fact, it is worse than I thought)

From: John Peacock <jpeacock_at_rowman.com>
Date: 2003-09-25 20:08:18 CEST

Ronald Cannes wrote:

> Can someone do it, and, while your at it, put P1 on it and due 0.32.
> Seriously. This is getting really problematic as we move to a real
> development environment!

Not going to happen, according the many of the core developers. Find another
horse to flog...

> Since this is due to a security patch, this has to be fixed in svn.

No, it was due to the stupidest possible security patch that M$loth could make.
There is no security issue with having periods in directory names; the problem
they were attempting to fix was having _only_ periods in the directory name.
And that is only a problem because their directory traversing code has no
security checks to speak of (so that it is very fast).

Other Windows-based web servers have proper directory traversing code and have
no problem with periods in directory names. They also don't typically have
security problems with "../../../" in URL's. Try Deerfield's WebSite (the
original Win32 web server) or Apache (if you've gotten used to not paying for
your server software). FWIW, I use WebSite and have directories with periods in
them without problem.

> This is NOT a bug in Microsoft ASP.NET as someone else noted.

In the sense that the bug is in IIS, you are correct. That being said, I have
no illusions that M$loth will fix their buggy software anytime soon.

There have already been suggested patches to use _svn for Windows; feel free to
apply those to your private copy. Someone may decide to provide prebuilt
binaries for Win32 users without the capability of building your own. However,
I have to vote with the other developers who say this is not Subversion's
problem to fix.

John

-- 
John Peacock
Director of Information Research and Technology
Rowman & Littlefield Publishing Group
4501 Forbes Boulevard
Suite H
Lanham, MD  20706
301-459-3366 x.5010
fax 301-429-5748
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org

Received on Thu Sep 25 20:14:46 2003

This message: [ Message body ]
Next message: Files: "mvadminfrom script licenced correctly"
Previous message: pll_at_lanminds.com: "Re: ".svn" directory name no good (in fact, it is worse than I thought)"
In reply to: Ronald Cannes: "Re: ".svn" directory name no good (in fact, it is worse than I thought)"
Next in thread: Mike Mason: "Re: ".svn" directory name no good (in fact, it is worse than I thought)"
Reply: Mike Mason: "Re: ".svn" directory name no good (in fact, it is worse than I thought)"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]