Bug: committers can set arbitrary HTTP Headers on any file

Summary: by providing a multi-line value for the svn:mime-type
property, you can add arbitrary headers to any mod_dav_svn response
for a file in a Subversion repository

NOTE: This is *not* a security hole--remember, if someone has write
access to a repository, they can set the contents of any file to
whatever they please.

Reproduction recipe:

- Create a new repository
- Check out revision 0
- Create a file (it can be empty)
- svn propedit svn:mime-type FILENAME with the following value:

-----------
text/plain; charset=UTF-8
X-Fitz-Rules: Totally
X-Cheeseburger: kthxbai
-----------

Commit that and then request the file and you'll see the headers. For
example (and you can try this yourself):

$ curl -I http://svn.red-bean.com/repos/test/foo.txt
HTTP/1.1 200 OK
Date: Fri, 10 Aug 2007 18:12:33 GMT
Server: Apache/2.2.4 (Unix) mod_ssl/2.2.4 OpenSSL/0.9.8e DAV/2
SVN/1.4.3 PHP/5.2.0 mod_python/3.2.10 Python/2.4.4
Last-Modified: Fri, 10 Aug 2007 16:17:48 GMT
ETag: "3//foo.txt"
Accept-Ranges: bytes
Content-Length: 4
Content-Type: text/plain; charset=UTF-8
X-Fitz-Rules: Totally
X-Cheeseburger: kthxbai

I suggest that we do two things to fix this:

- Fix libsvn_subr/validate.c:svn_mime_type_validate to allow at most one newline
- Fix mod_dav_svn to truncate the svn:mime-type at the first newline
(since we can't really rely on the client's validation).

Thoughts?

-Fitz

PS Hi guys! Long time no see! :-)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Received on Fri Aug 10 20:22:20 2007