[I sent this mail to the dev list; not the security list... as this part
of the HTTPv2 protocol is not even implemented right now!]
Our webdav implementation creates a public Uri to communicate over when
a transaction is started and closes it when the transaction is
committed. (Or aborted?).
Anyway, in HTTPv1 we generated a UUID and used that as the public
transaction ID. This made it impossible to guess the transaction ID for
outstanders that didn't start the transaction.
(As far as I know everyone can write to this public Uri when they get
through the initial security check).
For HTTPv2 the decision was made to no longer create a generated UUID ->
Filesystem transaction mapping, but to use the real transaction ID used
by the filesystem in the Uri.
This might introduce a security problem, as it is certainly possible to
guess a filesystem transaction id. (I think FSFS uses two integers as
the transaction id.. the first of which specifies at which revision the
I don't know our webdav protocol and its emplementation well enough to
be sure that this is actually a security problem. (Or that we just store
the author in the transaction and verify that on every transaction
update). But I want to make sure we don't introduce a backdoor where..
The attack vector I'm afraid of is:
Lets assume I know UserX is working on the WC library ...
* That would make trunk/subversion/libsvn_wc a likely transaction root.
* I continuously try to write a new deprecated.c to this transaction
root based on the guessed transaction numbers.. and voila in one of the
thousands of requests I guess the transaction correctly, so it actually
Eventually UserX commits his transaction, but he commits deprecated.c
So in this case I can changed his transaction, without any trace in the
history. (And probably break his working copy too)..
Is this a realistic attack?
I surely hope it isn't...
But I want to be sure... So please shoot on this guessing..
Received on 2009-02-05 16:05:50 CET