[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: Showing full pathname of repo

From: Mark Benedetto King <mbk_at_lowlatency.com>
Date: 2004-01-25 16:26:30 CET

On Sun, Jan 25, 2004 at 04:11:10AM +0000, Colin Watson wrote:
> On Sun, Jan 25, 2004 at 10:39:05AM +0800, plasma wrote:
> > I just ran into this command:
> >
> > plasma_at_plasmanb:~> svn log -r 9900 -v http://svn.elixus.org/repos/
> > subversion/libsvn_ra_dav/util.c:661: (apr_err=160006)
> > svn: PROPFIND request failed on '/repos/!svn/vcc/default'
> > subversion/libsvn_ra_dav/util.c:359: (apr_err=160006)
> > svn:
> > reference to non-existent revision '9900' in filesystem '/home/svnrepos/repos/db'
> >
> > And I noticed the full pathname of repository is shown. Is this a
> > good idea to reveal the full pathname of repository?
>
> Surely, if it matters that an attacker knows the path, you've already
> lost anyway? I've found the information useful for diagnosing problems
> in the past and don't see how it's a vulnerability.
>

Path disclosure is information leakage. There have been vulnerabilities
in other software components (Tomcat, for example) that allow you to obtain
the full contents of a file if you know its absolute path.

--ben

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Received on Sun Jan 25 16:27:04 2004

This is an archived mail posted to the Subversion Dev mailing list.