Re: Transaction names in post Uris webdav

From: Ben Collins-Sussman <sussman_at_red-bean.com>
Date: Thu, 5 Feb 2009 10:03:22 -0600

I don't think there's a realistic attack vector here, for two reasons:

1. Most (sane) apache configurations only allow authenticated commits.
So even if an attacker could guess the name of a
transaction-in-progress, they would still have to be an authenticated
commiter to do a PUT at all. Teams which allow anonymous commits...
well, they deserve what they get. :-)

2. mod_dav_svn already prevents 'multi-author' commits. Whenever a
PUT comes in on a transaction, it checks that the authenticated
username on the PUT matches the transaction's existing svn:author
property. (If there's no svn:author property yet, it creates it.)
For details, see mod_dav_svn/repos.c:prep_working().

------------------------------------------------------
http://subversion.tigris.org/ds/viewMessage.do?dsForumId=462&dsMessageId=1108001
Received on 2009-02-05 17:03:41 CET

This message: [ Message body ]
Next message: Bert Huijben: "RE: Transaction names in post Uris webdav"
Previous message: Paul Burba: "Re: Tree conflicts directories bug - another issue 3334 variant"
In reply to: Bert Huijben: "Transaction names in post Uris webdav"
Next in thread: Bert Huijben: "RE: Transaction names in post Uris webdav"
Reply: Bert Huijben: "RE: Transaction names in post Uris webdav"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]