On Thu, Apr 12, 2007 at 09:52:35AM -0700, Eric Gillespie wrote:
> "Ben Collins-Sussman" <sussman@red-bean.com> writes:
>
> > Your latest patch looks reasonable to me.
> >
> > Also, the client *does* choose the activity name. It does a PROPFIND
> > asking the server where activities should be stored, and gets back an
> > opaque URI. The client then sends a request: "MKACTIVITY
> > URI/someactivityname". It could be anything.
> >
> > libsvn_ra_dav is set up to use an apr_uuid as an activity name, but a
> > malicious client could send "../../blah" or an activity named AUX or
> > COM or something. We need to put in some server-side checking.
>
> Great, thanks. I'll be asking for review again after i add the
> checks. Probably not today, though.
>
Here's an idea: rather than do complex auditing to make sure the path is
safe, or blacklisting or whatever, why not just use MD5(activity id) as
the filename and rely on hash collisions being extremely unlikely?
Regards,
Malcolm
- application/pgp-signature attachment: stored
Received on Thu Apr 12 20:07:47 2007