[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: Possible security leak in 'svn lock'

From: Daniel Rall <dlr_at_collab.net>
Date: 2006-05-09 20:01:16 CEST

On Wed, 03 May 2006, François Beausoleil wrote:

> Hi all !
>
> db/migrate is a folder in my WC. I did:
>
> $ svn lock db\migrate
> svn: '/projects/rickstonehouse.com/trunk/db/migrate' is not a file in
> filesystem '/var/svn/repos/db'
>
> The full path to the repository is shown in the message.
>
> Client: WinXP SP2
> $ svn --version
> svn, version 1.3.0 (r17949)
> compiled Jan 15 2006, 23:18:48
>
> Server:
> Debian Sarge
> $ svn --version
> svn, version 1.3.1 (dev build)
> compiled Jan 24 2006, 22:00:57

Thanks for the note, François. This is a known problem, resulting
from Subversion's server code (indirectly) using the same core APIs as
the rest of the code base (where it makes sense to provide detailed
errors), but failing to filter out potentially sensitive information
from error messages.

Patches welcome. ;-)

-- 
Daniel Rall

  • application/pgp-signature attachment: stored
Received on Tue May 9 20:02:14 2006

This is an archived mail posted to the Subversion Dev mailing list.