Suppress display of sensitive info by servers (proposal)

From: Daniel Rall <dlr_at_finemaltcoding.com>
Date: 2005-04-12 21:22:30 CEST

Issues: 1051, 2271

Problem:

o Possibly sensitive server information is currently revealed to
clients by mod_dav_svn and svnserve (e.g. path to repository).

$ svn log -r3209683
svn: PROPFIND request failed on '/repos/svn/!svn/vcc/default'
svn:
Reference to non-existent revision 3209683 in filesystem
'/usr/www/repositories/svn/db'

o There is no way to tell from looking at an error object whether it
contains security-sensitive information.

Requirements of any solution:

o Low-level libraries should continue to propogate all contextual
information available (including security-sensitive info). For
example, httpd error logs should contain file system paths to the
repository, as should error messages from file:// operations.

o Secure versions of error messages must still contain relevant
security-insensitive information (e.g. "Reference to non-existent
revision 3209683", even though the path is omitted).

Solution:

o Add field, "safe_message" to svn_error_t which contains a safe
version of the error message. Callers -- mod_dav_svn, svnserve,
etc. -- may choose the secure or insecure error message depending on
their needs (e.g. talking to the client or the httpd error logs).

o Constructors of error messages are responsible for knowing when they
are including security-sensitive data, and should provide an alternate
"safe" version of the message too.

svn_error_t *err = svn_error_createf (apr_err, child,
                                      "Reference to non-existent
revision %d "
                                       "in filesystem '%s'", rev, path);
/* ### Use helper function to avoid pool usage mistakes? */
err->safe_message = apr_psprintf(err->pool,
                                 "Reference to non-existent revision %
d",
                                 rev);

o Helper function to acquire appropriate error message from svn_error_t:

/** Return the least security-sensitive available custom message in @a
* err.
*/
char *
svn_error_safest_message(svn_error_t *err)
{
return (err->safe_message ? err->safe_message : err->message);
}

o A macro which logs the security-insensitive version, and returns the
secure version (for usage in mod_dav_svn, svnserve, etc.)?

Questions about solution:

o Do we need svn_error2_t for safe_message (for binary compatibility)?

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Received on Tue Apr 12 22:17:52 2005

This message: [ Message body ]
Next message: kfogel_at_collab.net: "Re: fsfs and user permissions"
Previous message: Peter N. Lundblad: "Re: Strategy for FSFS locking fix and 1.2"
Next in thread: kfogel_at_collab.net: "Re: Suppress display of sensitive info by servers (proposal)"
Reply: kfogel_at_collab.net: "Re: Suppress display of sensitive info by servers (proposal)"
Reply: Molle Bestefich: "Re: Suppress display of sensitive info by servers (proposal)"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]