[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

[PATCH] fix handling of files/dirs with ":" in mod_dav_svn index listing

From: Michael Sinz <Michael.Sinz_at_sinz.org>
Date: 2005-10-23 05:33:54 CEST

In mod_dav_svn the returned links (and XML href attributes) need to be escaped
for correct relative URL/URI support as per RFC 1808 [1]

All but one case is currently handled via the use of ap_escape_uri() within
mod_dav_svn. The case is that of a file or directory that contains a ":"
character. [2]

The ":" character has special meaning before the first "/" character. If a ":"
is encountered before the first "/" then the text before the ":" is the scheme
or protocol. (http:, ftp:, etc) Because full URLs (or URIs) can be escaped,
there is no way for the ap_escape_uri() function to know what to do with a ":"

However, Apache has the ap_os_escape_path() call (which is what ap_escape_uri()
really devolves into) with a 3rd parameter that tells it to treat the path as
something that will not be prepended with a full scheme://host/ syntax. When
used in this context, the code checks if there is a ":" before the first "/"
and if so will prepend to the URL a "./" in order to render the ":" inert.

This fix should also be considered for a backport to 1.3.x and 1.2.x as it
has a security implication. Namely, since currently mod_dav_svn does not
escape the links with ":" correctly, someone can put into the repository
a malicious link using whatever scheme is desired.

See thread starting at http://svn.haxx.se/dev/archive-2005-10/1058.shtml
for more details.

[1] see http://www.faqs.org/rfcs/rfc1808.html
[2] we ignore the issue of an entry with "/" in it since that is generally not
     accepted. If that needs to be supported there are *many* other problems.

ps - I did not change the tabs within the file to spaces but there are some
lines in mod_dav_svn that are indented with tabs rather than spaces. I did not
feel that this patch should address such a nit.


Fix mod_dav_svn such that files and directories with ":" in their names are
correctly escaped when returned in the HTML and XML output. Without this fix
the links to those files and directories are invalid.

* subversion/mod_dav_svn/repos.c
   (dav_svn_deliver): When escaping the href use ap_os_escape_path( , , 0) which
     will prepend "./" to the href if there is a ":" before the first "/" rather
     than using ap_escape_uri() which does not do the prepending.

Index: subversion/mod_dav_svn/repos.c
--- subversion/mod_dav_svn/repos.c (revision 16897)
+++ subversion/mod_dav_svn/repos.c (working copy)
@@ -2458,7 +2458,7 @@
         /* We quote special characters in both XML and HTML. */
         name = apr_xml_quote_string(entry_pool, name, !gen_html);

- href = ap_escape_uri(entry_pool, href);
+ href = ap_os_escape_path(entry_pool, href, 0);
         href = apr_xml_quote_string(entry_pool, href, 1);

          if (gen_html)

Michael Sinz                     Technology and Engineering Director/Consultant
"Starting Startups"                                mailto:michael.sinz@sinz.org
My place on the web                            http://www.sinz.org/Michael.Sinz
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Received on Sun Oct 23 05:34:59 2005

This is an archived mail posted to the Subversion Dev mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.