[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

RE: Transaction names in post Uris webdav

From: Bert Huijben <rhuijben_at_sharpsvn.net>
Date: Thu, 5 Feb 2009 17:25:41 +0100

> -----Original Message-----
> From: sussman_at_gmail.com [mailto:sussman_at_gmail.com] On Behalf Of Ben
> Collins-Sussman
> Sent: donderdag 5 februari 2009 17:03
> To: Bert Huijben
> Cc: dev_at_subversion.tigris.org
> Subject: Re: Transaction names in post Uris webdav
>
> I don't think there's a realistic attack vector here, for two reasons:
>
> 1. Most (sane) apache configurations only allow authenticated commits.
> So even if an attacker could guess the name of a
> transaction-in-progress, they would still have to be an authenticated
> commiter to do a PUT at all. Teams which allow anonymous commits...
> well, they deserve what they get. :-)
>
> 2. mod_dav_svn already prevents 'multi-author' commits. Whenever a
> PUT comes in on a transaction, it checks that the authenticated
> username on the PUT matches the transaction's existing svn:author
> property. (If there's no svn:author property yet, it creates it.)
> For details, see mod_dav_svn/repos.c:prep_working().

        Hi,

The attack vector I was thinking of was closed by point 2. And thanks for
the source reference :)

Thanks for confirming we didn't forget something here!

        Bert

------------------------------------------------------
http://subversion.tigris.org/ds/viewMessage.do?dsForumId=462&dsMessageId=1108126
Received on 2009-02-05 17:26:28 CET

This is an archived mail posted to the Subversion Dev mailing list.