[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: [PATCH] #6 OS400/EBCDIC Port: Prevent OS conversion of file contents

From: Paul Burba <paulb_at_softlanding.com>
Date: 2006-02-23 22:34:53 CET

Philip Martin <philip@codematters.co.uk> wrote on 02/23/2006 02:35:31 PM:

> Paul Burba <paulb@softlanding.com> writes:
>
> > + apr_status_t apr_err;
> > + if (flag & APR_CREATE)
> > + {
> > + /* If we are trying to create a file on OS400 ensure it's CCSID
is
> > + * 1208. */
> > + apr_err = apr_file_open(f, fname, flag & ~APR_BINARY, perm,
pool);
> > +
> > + if (!apr_err)
> > + apr_file_close(*f);
> > + else
> > + return apr_err;
> > +
> > + /* Unset APR_EXCL before the next call to apr_file_open()
doesn't
> > + * return an error. */
> > + flag &= ~APR_EXCL;
> > + }
> > +#endif /* AS400 */
> > + return apr_file_open(f, fname, flag, perm, pool);
> > +}
>
> I'm happy for this to be committed.
>
> I'll just point out that it does introduce a race on AS400, one that's
> not present elsewhere. I don't think this will affect "normal"
> operation of the client or the server, but it might allow malicious
> attacks. During the interval between the close and the second open an
> APR_CREATE|APR_EXCL file could get replaced.

I think we'll just have to live with this risk on OS400, or rather I
should say I don't see any way to avoid it.

> I don't know much about
> AS400, does it have symlinks?

Yes it does.

> If so then it's vulnerable to a symlink
> race. Does it allow open files to be deleted?

Yes.

> If so that increases
> the duration of the race.
>
> --
> Philip Martin

_____________________________________________________________________________
Scanned for SoftLanding Systems, Inc. and SoftLanding Europe Plc by IBM Email Security Management Services powered by MessageLabs.
_____________________________________________________________________________

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Received on Thu Feb 23 22:35:47 2006

This is an archived mail posted to the Subversion Dev mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.