I'm going to wait for some review and the log message to be flushed
out before I merge this to 1.6.x. (I had to resolve some conflicts,
and wanted to ensure I didn't bork anything up.)
-Hyrum
On Wed, Jun 1, 2011 at 9:09 PM, <hwright_at_apache.org> wrote:
> Author: hwright
> Date: Wed Jun 1 21:09:22 2011
> New Revision: 1130303
>
> URL: http://svn.apache.org/viewvc?rev=1130303&view=rev
> Log:
> Commit the fix for CVE-2011-1921 and CVE-2011-1783.
>
> (Hopefully somebody with a bit more knowledge than me will fill in the detailed
> log message.)
>
> * subversion/mod_dav_svn/authz.c
> (dav_svn__allow_read): Foo.
>
> * subversion/tests/cmdline/svnsync_tests.py
> (specific_deny_authz): New test.
> (test_list): Run the new test.
>
> * subversion/libsvn_repos/authz.c
> (svn_repos_authz_check_access): Foo.
>
> Modified:
> subversion/trunk/subversion/libsvn_repos/authz.c
> subversion/trunk/subversion/mod_dav_svn/authz.c
> subversion/trunk/subversion/tests/cmdline/svnsync_tests.py
>
> Modified: subversion/trunk/subversion/libsvn_repos/authz.c
> URL: http://svn.apache.org/viewvc/subversion/trunk/subversion/libsvn_repos/authz.c?rev=1130303&r1=1130302&r2=1130303&view=diff
> ==============================================================================
> --- subversion/trunk/subversion/libsvn_repos/authz.c (original)
> +++ subversion/trunk/subversion/libsvn_repos/authz.c Wed Jun 1 21:09:22 2011
> @@ -776,6 +776,9 @@ svn_repos_authz_check_access(svn_authz_t
> return SVN_NO_ERROR;
> }
>
> + /* Sanity check. */
> + SVN_ERR_ASSERT(path[0] == '/');
> +
> /* Determine the granted access for the requested path. */
> path = svn_fspath__canonicalize(path, pool);
> current_path = path;
>
> Modified: subversion/trunk/subversion/mod_dav_svn/authz.c
> URL: http://svn.apache.org/viewvc/subversion/trunk/subversion/mod_dav_svn/authz.c?rev=1130303&r1=1130302&r2=1130303&view=diff
> ==============================================================================
> --- subversion/trunk/subversion/mod_dav_svn/authz.c (original)
> +++ subversion/trunk/subversion/mod_dav_svn/authz.c Wed Jun 1 21:09:22 2011
> @@ -54,6 +54,11 @@ dav_svn__allow_read(request_rec *r,
> return TRUE;
> }
>
> + /* Sometimes we get paths that do not start with '/' and
> + hence below uri concatenation would lead to wrong uris .*/
> + if (path && path[0] != '/')
> + path = apr_pstrcat(pool, "/", path, NULL);
> +
> /* If bypass is specified and authz has exported the provider.
> Otherwise, we fall through to the full version. This should be
> safer than allowing or disallowing all accesses if there is a
>
> Modified: subversion/trunk/subversion/tests/cmdline/svnsync_tests.py
> URL: http://svn.apache.org/viewvc/subversion/trunk/subversion/tests/cmdline/svnsync_tests.py?rev=1130303&r1=1130302&r2=1130303&view=diff
> ==============================================================================
> --- subversion/trunk/subversion/tests/cmdline/svnsync_tests.py (original)
> +++ subversion/trunk/subversion/tests/cmdline/svnsync_tests.py Wed Jun 1 21:09:22 2011
> @@ -870,6 +870,67 @@ def commit_a_copy_of_root(sbox):
> #Testcase for issue 3438.
> run_test(sbox, "repo-with-copy-of-root-dir.dump")
>
> +
> +@Skip(svntest.main.is_ra_type_file)
> +def specific_deny_authz(sbox):
> + "verify if specifically denied paths dont sync"
> +
> + sbox.build("specific-deny-authz")
> +
> + dest_sbox = sbox.clone_dependent()
> + build_repos(dest_sbox)
> +
> + svntest.actions.enable_revprop_changes(dest_sbox.repo_dir)
> +
> + run_init(dest_sbox.repo_url, sbox.repo_url)
> +
> + svntest.main.run_svn(None, "cp",
> + os.path.join(sbox.wc_dir, "A"),
> + os.path.join(sbox.wc_dir, "A_COPY")
> + )
> + svntest.main.run_svn(None, "ci", "-mm", sbox.wc_dir)
> +
> + write_restrictive_svnserve_conf(sbox.repo_dir)
> +
> + # For mod_dav_svn's parent path setup we need per-repos permissions in
> + # the authz file...
> + if sbox.repo_url.startswith('http'):
> + svntest.main.file_write(sbox.authz_file,
> + "[specific-deny-authz:/]\n"
> + "* = r\n"
> + "\n"
> + "[specific-deny-authz:/A]\n"
> + "* = \n"
> + "\n"
> + "[specific-deny-authz:/A_COPY/B/lambda]\n"
> + "* = \n"
> + "\n"
> + "[specific-deny-authz-1:/]\n"
> + "* = rw\n")
> + # Otherwise we can just go with the permissions needed for the source
> + # repository.
> + else:
> + svntest.main.file_write(sbox.authz_file,
> + "[/]\n"
> + "* = r\n"
> + "\n"
> + "[/A]\n"
> + "* = \n"
> + "\n"
> + "[/A_COPY/B/lambda]\n"
> + "* = \n")
> +
> + run_sync(dest_sbox.repo_url)
> +
> + lambda_url = dest_sbox.repo_url + '/A_COPY/B/lambda'
> +
> + # this file should have been blocked by authz
> + svntest.actions.run_and_verify_svn(None,
> + [], svntest.verify.AnyOutput,
> + 'cat',
> + lambda_url)
> +
> +
> # issue #3641 'svnsync fails to partially copy a repository'.
> # This currently fails because while replacements with history
> # within copies are handled, replacements without history inside
> @@ -988,6 +1049,7 @@ test_list = [ None,
> identity_copy,
> delete_svn_props,
> commit_a_copy_of_root,
> + specific_deny_authz,
> descend_into_replace,
> delete_revprops,
> fd_leak_sync_from_serf_to_local,
>
>
>
Received on 2011-06-01 23:15:18 CEST