[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: [Issue 1796] defective or malicious client can corrupt repository log messages

From: Karl Fogel <kfogel_at_red-bean.com>
Date: Mon, 26 May 2008 17:28:18 -0400

Neels Janosch Hofmeyr <neels_at_elego.de> writes:
> Say that an invalid log message has been written to the repository. If,
> then, the normal (unforged) svn client is invoked with, e.g., `svn log
> <file>', the invalid log message is read from the repository and passed
> to the client, which does no normalising or checking whatsoever and
> prints the invalid characters to the screen directly.
>
> (I repeat, this happens when using the normal svn client without any
> malicious modifications. I only forged the part where the user gives a
> message.)

Okay. It would have helped if, in the mail where you were pointing out
this bug, your transcript actually showed this happening :-).

> To confirm this, look in the same test logs that prove the point that
> the server accepts invalid log messages. You can see that `svn log'
> produces those same invalid characters.

What logs are you referring to?

Actually, a great time saver would be if you could set up a repository
on the public Internet somewhere, with revisions that have invalid data
of various kinds. Then everyone else could access it with their normal
clients.

I had thought 'svn log' *does* protect against this...

> So, right now, there is only *one* place where props get
> normalised/checked for consistence:
> - where the svn client receives a log message from the user

Agreed.

> The places, where checking the props is, supposedly, missing, are:
> - where the server receives props from a client out there.

Agreed.

> - where the server reads props from the repository file system.

Agreed.

> - where the svn client reads props from a server out there.

Agreed, but I thought we already did this.

> The place where I don't know yet what happens is:
> - where the client receives any svn:prop other than a commit log from
> the user.

Well, not all "svn:" props are guaranteed to be UTF-8; each prop may
have its own normalization rules. I agree that whatever those rules
are, we should enforce them.

> I'd just like to ask: is it considered a lot of overhead to check all
> svn:props for utf8 and proper LF in all of the places discussed? If both
> the client and server check all the time, then each prop is checked at
> least twice for a given operation.

Each "svn:" property value should be checked for its particular kind of
validity at all relevant points. The important thing is not the number
of checks; the important thing is *where* the checks happen. I think
you have identified the places where the checks need to happen.

-Karl

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe_at_subversion.tigris.org
For additional commands, e-mail: dev-help_at_subversion.tigris.org
Received on 2008-05-26 23:28:32 CEST

This is an archived mail posted to the Subversion Dev mailing list.