[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: svn commit: r1362434 - in /subversion/trunk: configure.ac subversion/include/svn_fs.h subversion/libsvn_fs/fs-loader.c

From: Philip Martin <philip.martin_at_wandisco.com>
Date: Tue, 17 Jul 2012 14:21:09 +0100

Ivan Zhakov <ivan_at_visualsvn.com> writes:

> On Tue, Jul 17, 2012 at 2:14 PM, Philip Martin
> <philip.martin_at_wandisco.com> wrote:
>> philip_at_apache.org writes:
>> > Author: philip
>> > Date: Tue Jul 17 10:12:20 2012
>> > New Revision: 1362434
>> >
>> > URL: http://svn.apache.org/viewvc?rev=1362434&view=rev
>> > Log:
>> > Allow third party FS modules to be loaded when configured
>> > with --enable-runtime-module-search.
>> Until now anyone wanting to write an FS module had a problem: only
>> modules known to the Subversion project could be loaded and used.
>> That means that anyone wanting to write their own module had to get a
>> patch for their module name into the core Subversion code. Or write
>> their own loader/server.
>> I don't think there is any security risk here: I need to write to the
>> repository fs-type file to get a malicious module to load and if I can
>> do that it would be far easier to use one of the hook scripts.
> It still possible security issue here. Just image that repository is
> stored on network share or something. Someone tweaked fs-type and put
> fake .dll in repository folder. Then another user accesses this
> repository and gets this dll loaded on his behalf!

To get a DSO loaded it has to go into the library search path. If the
victim has a world writeable location in the search path the attacker
could replace any DSO.

> To prevent such issues we should valdiate fs-type to be only file name
> with only alphanumeric characters. No dots, spaces or slashes. We also
> should only load DSO module from directory where Subversion installed
> for better protection.

That's a good idea. r1362480.

Cerified & Supported Apache Subversion Downloads:
Received on 2012-07-17 15:21:50 CEST

This is an archived mail posted to the Subversion Dev mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.