[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: Interesting problem with ":" in mod_dav_svn XML output

From: Michael Sinz <Michael.Sinz_at_sinz.org>
Date: 2005-10-23 05:37:03 CEST

Michael Sinz wrote:
> Something just "bit me" with XSLT displayed pages from mod_dav_svn.
> I say that in quotes as I had already had worked around the problem,
> before I even knew about it, for other reasons.

Note that this is not just in XML output but also a problem in the
HTML output from mod_dav_svn

> Anyway, the problem is that the ":" character is not escaped in the
> "href" attribute of the file and directory elements.
>
> This is a problem as the ":" character is a special character that
> separates protocol from port within a URL and thus must be escaped
> if it is not serving in that manner.

[...]

Note that this may be a security risk. Since the ":" is not escaped,
a file or directory that has a correctly formatted name could now
cause the browser to do something unwanted on the client's machine and/or
redirect to some remote server. This is possible due to the fact that
the URL "scheme" is what is parsed before the ":" as long as no "/" exists
before the ":". Some browsers have special features and capabilities with
certain schemes other than http: and one could even have http: help provide
other data to external servers.

For example (non-dangerous) if a file of the name "http:sinz.com" were to
be in the repository, Subversion/mod_dav_svn would currently make a link that
while looking to go to that file (or directory) would actually go to the
sinz.com site and provide it with referer information. More complex constructs
are left as a excersice for the reader...

I have just posted a (trivial) patch that fixes the ":" problem and thus
would close whatever potential security issue this may have presented.

        http://svn.haxx.se/dev/archive-2005-10/1105.shtml

The patch is valid in the 1.1.x, 1.2.x, and 1.3.x code base (albeit the
line numbers are slightly different) 

-- 
Michael Sinz                     Technology and Engineering Director/Consultant
"Starting Startups"                                mailto:michael.sinz@sinz.org
My place on the web                            http://www.sinz.org/Michael.Sinz
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Received on Sun Oct 23 05:37:58 2005

This is an archived mail posted to the Subversion Dev mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.