David James wrote:
>> Right now, if you pass in a really long list of valid arguments into
>> the command-line client, you can overflow its buffer of command-line
>> options and execute arbitrary code. The impact of this bug is
>> mitigated by the fact that users who have access to the command-line
>> client can usually already execute arbitrary code.
>>
>> To see this bug in action, type the following command:
>> yes --old | head -n 300 | xargs svn
>>
>> Before the patch:
>> james@syntax% yes --old | head -n 300 | xargs svn
>> xargs: svn: terminated by signal 11
>>
>> After the patch:
>> james@syntax% yes --old | head -n 300 | xargs
>> subversion/clients/cmdline/svn svn: Too many options
>>
>> clients/cmdline/main.c
>> (main): Prevent buffer overflow when list of command-line options is very
>> long
Thanks for the report.
Branko Čibej wrote:
> Actually, the use of a statically-sized array to hold options is wrong
> in the first place. I'd prefer a fix that changes the type of
> received_opts.
Yes, an apr array should handle this just fine.
Fixed in r15251, and proposed for backport.
Max.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Received on Mon Jul 4 14:12:26 2005