[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

[PATCH] issue 1796: defective or malicious client can corrupt repository log messages

From: Neels Janosch Hofmeyr <neels_at_elego.de>
Date: Tue, 03 Jun 2008 03:48:48 +0200

There was a discussion on issue 1796 up to a week ago, in which a bunch
of shortcomings of the same kind as 1796 have been revealed:

The subversion server and client do not validate props in places where
they should:
- where the server receives props from a client out there. (#1796)
- where the server reads props from the repository file system.
- where the svn client reads props from a server out there.
(Approval by kfogel)

This patch starts by fixing the specific problems of issue 1796, only:
- where the server receives props from a client out there. (#1796)
, and limited only to the log message prop (SVN_PROP_REVISION_LOG).

More patches, continuing in above list, are to follow.

Also, in the threads about issue 1796 recently, some people asked for a
way to reproduce 1796 without forging their svn client. Note that the C
test included in this patch is a good way to do so. It may be
illustrative to investigate the repository after the test has run, using
current trunk: the corrupt data shows in the repository filesystem.

Also note that this is my first "complex" patch to subversion, so please
feel very free to tell me about anything I could have done better.


Fix issue #1796: defective or malicious client can corrupt repository
log messages.
Also adding regression test for 1796.

* subversion/include/private/svn_utf_private.h: Add this private header
    file and move the declaration of svn_utf__is_valid from
    libsvn_subr/utf_impl.h here, because this function is needed in

* subversion/libsvn_subr/utf_impl.h: Include private/svn_utf_private.h.
  (svn_utf__is_valid): Move declaration away to svn_utf_private.h
    because this function is needed in libsvn_repos.
  (svn_utf__last_valid): Add comment to also see svn_utf__is_valid.

* subversion/libsvn_repos/fs-wrap.c(validate_prop): Add two validations
    for SVN_PROP_REVISION_LOG's value. Validate UTF-8 encoding using
    svn_utf__is_valid, and validate consistent LF eol style by looking
    for and rejecting CR (\r) characters.

* subversion/tests/libsvn_repos/repos-test.c
  (prop_validation): Add this regression test for issue 1796, which
    tries to commit two invalid log messages concerning UTF-8 and LF.
  (prop_validation_commit_with_revprop): Add this helper function for
    prop_validation, which runs a commit with a given revprop.

Patch by: Neels Janosch Hofmeyr <neels_at_elego.de>
Review by: Karl Fogel <kfogel_at_red-bean.com>
           Daniel Shahaf <d.s_at_daniel.shahaf.co.il>
           Stefan Sperling <stsp_at_elego.de>
           Branko Cibej <brane_at_xbc.nu>
Found by: garrick_olson

Neels Hofmeyr -- elego Software Solutions GmbH
Gustav-Meyer-Allee 25 / Gebäude 12, 13355 Berlin, Germany
phone: +49 30 23458696  mobile: +49 177 2345869  fax: +49 30 23458695
http://www.elegosoft.com | Geschäftsführer: Olaf Wagner | Sitz: Berlin
Handelsreg: Amtsgericht Charlottenburg HRB 77719 | USt-IdNr: DE163214194

Received on 2008-06-03 03:59:37 CEST

This is an archived mail posted to the Subversion Dev mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.