[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: Transaction names in post Uris webdav

From: Ben Collins-Sussman <sussman_at_red-bean.com>
Date: Thu, 5 Feb 2009 10:03:22 -0600

I don't think there's a realistic attack vector here, for two reasons:

1. Most (sane) apache configurations only allow authenticated commits.
 So even if an attacker could guess the name of a
transaction-in-progress, they would still have to be an authenticated
commiter to do a PUT at all. Teams which allow anonymous commits...
well, they deserve what they get. :-)

2. mod_dav_svn already prevents 'multi-author' commits. Whenever a
PUT comes in on a transaction, it checks that the authenticated
username on the PUT matches the transaction's existing svn:author
property. (If there's no svn:author property yet, it creates it.)
For details, see mod_dav_svn/repos.c:prep_working().

------------------------------------------------------
http://subversion.tigris.org/ds/viewMessage.do?dsForumId=462&dsMessageId=1108001
Received on 2009-02-05 17:03:41 CET

This is an archived mail posted to the Subversion Dev mailing list.