[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: Interesting problem with ":" in mod_dav_svn XML output

From: Michael Sinz <Michael.Sinz_at_sinz.org>
Date: 2005-10-23 05:37:03 CEST

Michael Sinz wrote:
> Something just "bit me" with XSLT displayed pages from mod_dav_svn.
> I say that in quotes as I had already had worked around the problem,
> before I even knew about it, for other reasons.

Note that this is not just in XML output but also a problem in the
HTML output from mod_dav_svn

> Anyway, the problem is that the ":" character is not escaped in the
> "href" attribute of the file and directory elements.
> This is a problem as the ":" character is a special character that
> separates protocol from port within a URL and thus must be escaped
> if it is not serving in that manner.


Note that this may be a security risk. Since the ":" is not escaped,
a file or directory that has a correctly formatted name could now
cause the browser to do something unwanted on the client's machine and/or
redirect to some remote server. This is possible due to the fact that
the URL "scheme" is what is parsed before the ":" as long as no "/" exists
before the ":". Some browsers have special features and capabilities with
certain schemes other than http: and one could even have http: help provide
other data to external servers.

For example (non-dangerous) if a file of the name "http:sinz.com" were to
be in the repository, Subversion/mod_dav_svn would currently make a link that
while looking to go to that file (or directory) would actually go to the
sinz.com site and provide it with referer information. More complex constructs
are left as a excersice for the reader...

I have just posted a (trivial) patch that fixes the ":" problem and thus
would close whatever potential security issue this may have presented.


The patch is valid in the 1.1.x, 1.2.x, and 1.3.x code base (albeit the
line numbers are slightly different)

Michael Sinz                     Technology and Engineering Director/Consultant
"Starting Startups"                                mailto:michael.sinz@sinz.org
My place on the web                            http://www.sinz.org/Michael.Sinz
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Received on Sun Oct 23 05:37:58 2005

This is an archived mail posted to the Subversion Dev mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.