[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: Possibly wrong string comparisons in SVN

From: Andy Whitcroft <apw_at_shadowen.org>
Date: 2004-10-26 11:19:05 CEST

Branko Čibej wrote:
> Roland Ruedenauer wrote:

>> if ((strncmp (hostname, "localhost", 9) != 0))
>>
>> 2) libsvn_repos/fs-wrap.c line 330 and 332
>>
>> /* Only svn:author and svn:date are fetchable. */
>> if ((strncmp (propname, SVN_PROP_REVISION_AUTHOR,
>> strlen(SVN_PROP_REVISION_AUTHOR)) != 0)
>> && (strncmp (propname, SVN_PROP_REVISION_DATE,
>> strlen(SVN_PROP_REVISION_DATE)) != 0))
>> *value_p = NULL;
>>
>>
> Probably, but they're all correct (I hope :-).

Although yes we are looking at a substring, should we not be checking
the terminator also? We'll get a false negative on the localhost check
localhost-foo.bar.com. I guess it should check for end of string or "."
as the next character? In the second case if you had other props with a
common prefix could they not suffer value leak (this is part of the
security fix right); obviously unlikely you'd choose to share these
prefixes, but perhaps its still 'wrong' per-see.

-apw

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Received on Tue Oct 26 11:19:38 2004

This is an archived mail posted to the Subversion Dev mailing list.