[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: svn URL's with '..' elements

From: Ben Reser <ben_at_reser.org>
Date: 2005-02-23 01:36:49 CET

On Tue, Feb 22, 2005 at 06:44:52PM -0500, Chris Pickett wrote:
> sussman on #svn asked me to bring this up here.
> I have three versions of svn installed on various machines, 1.0.4,
> 1.1.1, and 1.1.3.
> Under 1.0.4 I can do:
> $ svn ls svn://svn.sablevm.org/sablevm/..
> archives/
> developers/
> libffi/
> sablecc/
> sablecc-ant-task/
> sablecc-grammars/
> sablejit/
> sablevm/
> sablevm-classpath/
> sablevm-test-suite/
> websites/
> but under 1.1.1 and 1.1.3 I get:
> $ svn ls svn://svn.sablevm.org/sablevm/..
> svn: URL 'svn://svn.sablevm.org/sablevm/..' contains a '..' element
> sussman was incredulous about this, saying that for some reason in 1.0
> '..' is being accepted deeper in the code, but that validation of URL's
> in 1.1 is rejected the command.
> Personally, I used this accidental feature a lot, because I would often
> use an exported bash variable to save typing, and then simply append /..
> to it, e.g.:
> $ svn log $STAGING/..
> instead of
> $ svn log svn+ssh://svn.sablevm.org/public/sablevm/branches/staging/..
> so ... I guess this mail serves two purposes:
> 1) bring this to your attention
> 2) request that you allow for '..' in a URL again if it isn't a security
> hole
> I'm not sure what version of svn is running on the server, but I can
> find out if you want.

We had support for this briefly, I think maybe one release, but IIRC
removed it for these reasons:

* Despite common usage .. doesn't have any special meaning per the URI
* Because we canonicalize URLs on input it could create confusing
results. In particular if the resulting path didn't exist the URL we
said didn't exist wouldn't match what the user requested.
* The behavior is undefined when dealing with no-op path elements e.g.
//. Should we remove it or not.
* Caused some sort of issues with externals.
* Were more trouble than they were worth to make function safely (e.g.
buffer underflows).

jpieper is the one who specificially removed the functionality perhaps
he can be specific or correct me if I'm remembering wrong.

Ben Reser <ben@reser.org>
"Conscience is the inner voice which warns us somebody may be looking."
- H.L. Mencken
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Received on Wed Feb 23 01:37:57 2005

This is an archived mail posted to the Subversion Dev mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.