RE: svn commit: r1366209 - in /subversion/trunk/subversion: libsvn_wc/externals.c tests/libsvn_client/client-test.c

> -----Original Message-----
> From: Blair Zajac [mailto:blair_at_orcaware.com]
> Sent: vrijdag 27 juli 2012 01:47
> To: rhuijben_at_apache.org
> Cc: dev_at_subversion.apache.org
> Subject: Re: svn commit: r1366209 - in /subversion/trunk/subversion:
> libsvn_wc/externals.c tests/libsvn_client/client-test.c
>
> On 07/26/2012 03:04 PM, rhuijben_at_apache.org wrote:
> > Author: rhuijben
> > Date: Thu Jul 26 22:04:03 2012
> > New Revision: 1366209
> >
> > URL: http://svn.apache.org/viewvc?rev=1366209&view=rev
> > Log:
> > * subversion/libsvn_wc/externals.c
> > (svn_wc__resolve_relative_external_url):
> > Deny /../ syntax in urls in externals. Stepping over the
> > root of a server is not possible.
>
> The first sentence sounds like no /../ are allowed in any external URLs
> which isn't the case, it appears with your change they are not allowed
> anywhere for any scheme or server root relative path, just just past the
> first two characters.

Hmm, not sure how to put it in a log message, but this is specifically about
/../something/style
relative paths.

We already denied
//../url

And
/url/../../path

While we (via a different code path) do allow ../../../some/dir and ^/../../some/dir

The +2 which I removed with my patch was originally added to allow the // and ^/ paths to skip the relpath rules. But since they now use a different code path I re-enabled the original check to disallow /../

With the specific /../something/style url we would generate
http://svn.apache.org/../something/style (assuming a current repository of http://svn.apache.org/repos/asf)
urls, which should (as far as I can tell) never work and are certainly not recommended.

        Bert
Received on 2012-07-27 02:35:55 CEST