[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

svn URL's with '..' elements

From: Chris Pickett <chris.pickett_at_mail.mcgill.ca>
Date: 2005-02-23 00:44:52 CET

Hi,

sussman on #svn asked me to bring this up here.

I have three versions of svn installed on various machines, 1.0.4,
1.1.1, and 1.1.3.

Under 1.0.4 I can do:

$ svn ls svn://svn.sablevm.org/sablevm/..
archives/
developers/
libffi/
sablecc/
sablecc-ant-task/
sablecc-grammars/
sablejit/
sablevm/
sablevm-classpath/
sablevm-test-suite/
websites/

but under 1.1.1 and 1.1.3 I get:

$ svn ls svn://svn.sablevm.org/sablevm/..
svn: URL 'svn://svn.sablevm.org/sablevm/..' contains a '..' element

sussman was incredulous about this, saying that for some reason in 1.0
'..' is being accepted deeper in the code, but that validation of URL's
in 1.1 is rejected the command.

Personally, I used this accidental feature a lot, because I would often
use an exported bash variable to save typing, and then simply append /..
to it, e.g.:

$ svn log $STAGING/..

instead of

$ svn log svn+ssh://svn.sablevm.org/public/sablevm/branches/staging/..

so ... I guess this mail serves two purposes:

1) bring this to your attention
2) request that you allow for '..' in a URL again if it isn't a security
hole

I'm not sure what version of svn is running on the server, but I can
find out if you want.

Cheers,
Chris

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Received on Wed Feb 23 00:46:31 2005

This is an archived mail posted to the Subversion Dev mailing list.