On Tue, 3 Aug 2004, Greg Hudson wrote:
> On Tue, 2004-08-03 at 18:17, Peter N. Lundblad wrote:
> > > * Making svnserve's find_repos() use svn_path_join() instead of
> > > apr_filepath_merge(). To prevent the client from escaping from the
> > > repository root, we'd have to check for ".." path elements separately.
>
> > Would it be enough to check the URL path for "too many .. segments", i.e.
> > "foo/../bar" would be ok, but "foo/../.." would fail?
>
> I don't think we're currently allowing any .. segments in URLs, so it
> seems simplest to just blow out if you find any path segment equal to
> "..".
>
I've attached a patch that does this. This can be a security hole if not
done correctly, so would someone please review it. I couldn't juse
svn_path_is_backpath_present because it only checks for / as segment
separator, which isn't enough on Windows ofcourse. Still, I'm not sure
about irregular UTF8 sequences (I asked about that in an earlier mail).
Maybe we should add validation to svn_utf_cstring_from_utf8 and friends
even if the native charset is UTF-8.
Comments?
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Received on Wed Aug 4 23:21:27 2004