In mod_dav_svn the returned links (and XML href attributes) need to be escaped
for correct relative URL/URI support as per RFC 1808 [1]
All but one case is currently handled via the use of ap_escape_uri() within
mod_dav_svn. The case is that of a file or directory that contains a ":"
character. [2]
The ":" character has special meaning before the first "/" character. If a ":"
is encountered before the first "/" then the text before the ":" is the scheme
or protocol. (http:, ftp:, etc) Because full URLs (or URIs) can be escaped,
there is no way for the ap_escape_uri() function to know what to do with a ":"
However, Apache has the ap_os_escape_path() call (which is what ap_escape_uri()
really devolves into) with a 3rd parameter that tells it to treat the path as
something that will not be prepended with a full scheme://host/ syntax. When
used in this context, the code checks if there is a ":" before the first "/"
and if so will prepend to the URL a "./" in order to render the ":" inert.
This fix should also be considered for a backport to 1.3.x and 1.2.x as it
has a security implication. Namely, since currently mod_dav_svn does not
escape the links with ":" correctly, someone can put into the repository
a malicious link using whatever scheme is desired.
See thread starting at http://svn.haxx.se/dev/archive-2005-10/1058.shtml
for more details.
[1] see http://www.faqs.org/rfcs/rfc1808.html
[2] we ignore the issue of an entry with "/" in it since that is generally not
accepted. If that needs to be supported there are *many* other problems.
ps - I did not change the tabs within the file to spaces but there are some
lines in mod_dav_svn that are indented with tabs rather than spaces. I did not
feel that this patch should address such a nit.
------------------------------------------------------------------
[[[
Fix mod_dav_svn such that files and directories with ":" in their names are
correctly escaped when returned in the HTML and XML output. Without this fix
the links to those files and directories are invalid.
* subversion/mod_dav_svn/repos.c
(dav_svn_deliver): When escaping the href use ap_os_escape_path( , , 0) which
will prepend "./" to the href if there is a ":" before the first "/" rather
than using ap_escape_uri() which does not do the prepending.
]]]
Index: subversion/mod_dav_svn/repos.c
===================================================================
--- subversion/mod_dav_svn/repos.c (revision 16897)
+++ subversion/mod_dav_svn/repos.c (working copy)
@@ -2458,7 +2458,7 @@
/* We quote special characters in both XML and HTML. */
name = apr_xml_quote_string(entry_pool, name, !gen_html);
- href = ap_escape_uri(entry_pool, href);
+ href = ap_os_escape_path(entry_pool, href, 0);
href = apr_xml_quote_string(entry_pool, href, 1);
if (gen_html)
--
Michael Sinz Technology and Engineering Director/Consultant
"Starting Startups" mailto:michael.sinz@sinz.org
My place on the web http://www.sinz.org/Michael.Sinz
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Received on Sun Oct 23 05:34:59 2005