[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: DAV activity hijacking?

From: Malcolm Rowe <malcolm-svn-dev_at_farside.org.uk>
Date: 2006-06-22 12:21:29 CEST

On Thu, Jun 22, 2006 at 12:17:04PM +0300, Artem Egorkine wrote:
> If a user was successfuly able to issue an MKACTIVITY request - he has
> been verified to have global write access to the repsitory. It is
> therefore not neccesary to check for global write access on subsequent
> MERGE or DELETE requests.
>
> That is of course if we can be sure that no other user can guess or
> snoop the uuid of the activity and either on purpose or by accident
> isue MERGE or DELETE on it.
>

UUIDs are generally predictable (and more specifically, the type that
APR generates by itself is definitely predictable), so it's probably not
that hard to determine the UUID generated for another user's activity
(possibly, generate enough MKACTIVITY requests to get >1 per timer
resolution, watch for a gap in the generated UUID).

But don't we validate that the user who generated the activity is the
same one who is issuing further requests on it? If we do, then you
might be right, though I wonder how long an activity is valid for,
which may explain why we want to re-validate the user's access.

Disclaimer: DAV is not my strong point.

Regards,
Malcolm

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Received on Thu Jun 22 12:22:09 2006

This is an archived mail posted to the Subversion Dev mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.