[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: Possible security problem with svnsync?

From: C. Michael Pilato <cmpilato_at_collab.net>
Date: Wed, 12 May 2010 11:19:48 -0400

Jon Foster wrote:
> Hi,
> I have a repository that is partially mirrored, using svnsync and
> mod_authz_svn [1]. I just realised that the administrator of the
> mirror server can bypass the authz rules I've set up on the master
> server. All he has to do is change the svn:sync-from-url property
> on the mirror repository to be a file:// URL to the source
> repository, rather than a http:// one. The correct file:// URL is
> probably guessable.

Yes, you are correct. If the admin of the mirror server changes the
sync-from URL to a properly guessed file:// URL, then svnsync, when run on
the master server, will read that URL from the mirror and use it for its
sync work, bypassing authz.

> Attack #2 (other repositories):
> More generally, the administrator of the mirror repository can use
> this attack to get a full mirror of ANY repository that svnsync can
> access, if they know both the repository URL and UUID. In practise,
> the requirement to know the UUID is likely to frustrate most attacks
> that are directed against other repositories. (It does not provide
> any protection whatsoever against the basic "bypass authz" attack
> described earlier in this mail, because the mirror repository's
> "svn:sync-from-uuid" property already contains the correct UUID).
> But the repository UUID was never intended to be a security-critical
> secret - it's included in plaintext in every SVN checkout, and
> changing it requires everyone to fix up their working copies.

So, you're saying that svnsync, running on the master server via repos1's
hooks, would contact what it thinks is a mirror of repos1 on the mirror
server, read the sync URL (which actually points to file://.../repos2), and
start syncing repos2's data across the wire. Right. Um... Ewww.

> Possible workarounds:
> - Don't run svnsync on the same system as the master repository,
> run it on the mirror server instead.

This has high practical costs, though.

> - Run svnsync as a different user that doesn't have access to any
> repository files.

This is a better workaround.

> Suggested fix:
> Please can we change "svnsync sync" to allow both the source and
> target URLs to be specified? That rather simple measure would block
> this attack. Since svnsync is usually invoked from a script, typing
> the extra URL isn't a problem.
> (If only one URL is specified, then svnsync should probably behave
> as it does today, for backward-compatibility. And we should
> document that svnsync trusts the mirror server if you only provide
> one URL).

This is a very sensible suggestion.

C. Michael Pilato <cmpilato_at_collab.net>
CollabNet   <>   www.collab.net   <>   Distributed Development On Demand

Received on 2010-05-12 17:20:21 CEST

This is an archived mail posted to the Subversion Dev mailing list.