mark benedetto king <mbk@lowlatency.com> writes:
> Also, there is issue 1051: "mod_dav_svn displays real path to repository".
>
> This is a real information leak that is likely to be "discovered" by
> third-party auditors and reported on security mailing lists, and will
> give mod_dav_svn an undeserved black eye.
>
> I'd like to make issue 1051 a requirement for 1.0, or document clearly
> in INSTALL that an empty repository (or a misconfigured one) can result
> in this behaviour.
This leak can only happen if one has misconfigured one's server -- you
have to have an SVN location pointing to an empty (uninitialized)
repository, then the leak can happen. So I don't think this needs to
be a 1.0 requirement -- the client can't stimulate this leak from a
well-configured server.
Nevertheless, it sure would be nice get it fixed :-). I have an
untested patch; could you try it out and let me know if it's right?
-*- -*- -*- -*- -*- -*- -*- -*- -*- -*- -*- -*- -*- -*- -*- -*- -*- -*-
Fix issue #1501: mod_dav_svn can leak real repository path to client.
* subversion/mod_dav_svn/repos.c
(dav_svn_get_resource): Use one error for the server logs, another
for dav and thence to the client.
Index: subversion/mod_dav_svn/repos.c
===================================================================
--- subversion/mod_dav_svn/repos.c (revision 7837)
+++ subversion/mod_dav_svn/repos.c (working copy)
@@ -1194,11 +1194,21 @@
serr = svn_repos_open(&(repos->repos), fs_path, r->connection->pool);
if (serr != NULL)
{
- return dav_svn_convert_err(serr, HTTP_INTERNAL_SERVER_ERROR,
- apr_psprintf(r->pool,
- "Could not open the SVN "
- "filesystem at %s",
- fs_path));
+ /* The error returned by svn_repos_open might contain the
+ actual path to the failed repository. We don't want to
+ leak that path back to the client, because that would be
+ a security risk, but we do want to log the real error on
+ the server side. */
+ const char *new_msg = "Could not open the requested SVN filesystem";
+ svn_error_t *sanitized_error = svn_error_quick_wrap(serr, new_msg);
+
+ ap_log_rerror(APLOG_MARK, APLOG_ERR, APR_EGENERAL, r,
+ "%s", serr->message);
+
+ /* Return a slightly less informative error to dav. */
+ return dav_svn_convert_err (sanitized_error,
+ HTTP_INTERNAL_SERVER_ERROR,
+ apr_psprintf(r->pool, new_msg));
}
/* Cache the open repos for the next request on this connection */
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Received on Mon Nov 24 21:41:07 2003