I assume the server would error if someone removed this check on the
client side?
rhuijben_at_apache.org wrote on Wed, May 04, 2011 at 00:04:29 -0000:
> Author: rhuijben
> Date: Wed May 4 00:04:29 2011
> New Revision: 1099298
>
> URL: http://svn.apache.org/viewvc?rev=1099298&view=rev
> Log:
> In libsvn_ra_serf check if a reparenting operation doesn't step outside the
> repository. This matches the test performed by ra_local.
>
> * subversion/libsvn_ra_serf/serf.c
> (svn_ra_serf__reparent): Verify if the new session uri is still in the same
> repository.
>
> Modified:
> subversion/trunk/subversion/libsvn_ra_serf/serf.c
>
> Modified: subversion/trunk/subversion/libsvn_ra_serf/serf.c
> URL: http://svn.apache.org/viewvc/subversion/trunk/subversion/libsvn_ra_serf/serf.c?rev=1099298&r1=1099297&r2=1099298&view=diff
> ==============================================================================
> --- subversion/trunk/subversion/libsvn_ra_serf/serf.c (original)
> +++ subversion/trunk/subversion/libsvn_ra_serf/serf.c Wed May 4 00:04:29 2011
> @@ -456,7 +456,20 @@ svn_ra_serf__reparent(svn_ra_session_t *
> return SVN_NO_ERROR;
> }
>
> - /* Do we need to check that it's the same host and port? */
> + if (!session->repos_root_str)
> + {
> + const char *vcc_url;
> + SVN_ERR(svn_ra_serf__discover_vcc(&vcc_url, session, NULL, pool));
> + }
> +
> + if (!svn_uri_is_ancestor(session->repos_root_str, url))
> + {
> + return svn_error_createf(
> + SVN_ERR_RA_ILLEGAL_URL, NULL,
> + _("URL '%s' is not a child of the session's repository root "
> + "URL '%s'"), url, session->repos_root_str);
> + }
> +
> status = apr_uri_parse(session->pool, url, &new_url);
> if (status)
> {
>
>
Received on 2011-05-04 11:33:46 CEST