[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

RE: CGI script for self-administering password in svnserve passwd files

From: Jonathan Kamens <jonathan.kamens_at_tamalesoftware.com>
Date: Thu, 21 Feb 2008 15:42:04 -0500

Does the fact that there has been no response to the email below mean
that there is no interest in distributing this CGI script with
Subversion or that I have failed to attract the attention of the people
who would be involved in deciding whether to do so?

If the latter, can anyone suggest how I might attract their attention?

Thanks,

  jik

-----Original Message-----
From: Jonathan Kamens
Sent: Thursday, February 14, 2008 11:37 AM
To: dev_at_subversion.tigris.org
Subject: Re: CGI script for self-administering password in svnserve
passwd files

Thanks for the code review!

On 02/13/2008 10:54 PM, David Glasser wrote:
> Big security hole: you take the "username" parameter directly from
> user input and interpolate it into a regexp. Don't do that :-)
>
Right you are. Fixed.

> Also, you probably want to update the file atomically (with a temp
> file and a rename). Wouldn't want svnserve to read a half-written
> file...
>
I had resisted doing this because I didn't want to require that the
password file be in its own directory that's writeable by apache, but I
suppose you're right that it's necessary, so fixed.
> And looks like if the user doesn't pass in a "repo" parameter,
> $passwd_file isn't defined... exciting times.
Not really exciting times, just an internal error, but I've now made
this more explicit.
> Not to mention the
> errors that happen if various parameters are the string "0" (though
> admittedly that's a rather poor username or password).
>
Wow, you're paranoid :-). Fixed, I believe.

I also added a few additional test cases and made the test suite work
again (some last-minute changes I made before posting the script broke
the tests).

I also added "-T" to the #! line to enable taint checks, for a slightly
higher level of paranoia.

A new version is attached, along with a diff. Please take a look.

Is there any interest in shipping this script with the distribution? If

there is, I'd be happy to commit to maintaining it.

  jik

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe_at_subversion.tigris.org
For additional commands, e-mail: dev-help_at_subversion.tigris.org
Received on 2008-02-21 21:42:19 CET

This is an archived mail posted to the Subversion Dev mailing list.