RE: Transaction names in post Uris webdav

From: Bert Huijben <rhuijben_at_sharpsvn.net>
Date: Thu, 5 Feb 2009 17:25:41 +0100

> -----Original Message-----
> From: sussman_at_gmail.com [mailto:sussman_at_gmail.com] On Behalf Of Ben
> Collins-Sussman
> Sent: donderdag 5 februari 2009 17:03
> To: Bert Huijben
> Cc: dev_at_subversion.tigris.org
> Subject: Re: Transaction names in post Uris webdav
>
> I don't think there's a realistic attack vector here, for two reasons:
>
> 1. Most (sane) apache configurations only allow authenticated commits.
> So even if an attacker could guess the name of a
> transaction-in-progress, they would still have to be an authenticated
> commiter to do a PUT at all. Teams which allow anonymous commits...
> well, they deserve what they get. :-)
>
> 2. mod_dav_svn already prevents 'multi-author' commits. Whenever a
> PUT comes in on a transaction, it checks that the authenticated
> username on the PUT matches the transaction's existing svn:author
> property. (If there's no svn:author property yet, it creates it.)
> For details, see mod_dav_svn/repos.c:prep_working().

Hi,

The attack vector I was thinking of was closed by point 2. And thanks for
the source reference :)

Thanks for confirming we didn't forget something here!

Bert

------------------------------------------------------
http://subversion.tigris.org/ds/viewMessage.do?dsForumId=462&dsMessageId=1108126
Received on 2009-02-05 17:26:28 CET

This message: [ Message body ]
Next message: Bert Huijben: "RE: svn commit: r35665 - in trunk: . build/ac-macros subversion subversion/libsvn_fs_base subversion/libsvn_fs_base/bdb subversion/libsvn_fs_base/util"
Previous message: Ben Collins-Sussman: "Re: Transaction names in post Uris webdav"
In reply to: Ben Collins-Sussman: "Re: Transaction names in post Uris webdav"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]