[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: [CONTRIB] hook script check-needs-lock-on-binaries.pl

From: Daniel Shahaf <danielsh_at_elego.de>
Date: Sun, 5 May 2013 03:18:48 +0300

Daniel Shahaf wrote on Sun, May 05, 2013 at 03:10:13 +0300:
> Bastiaan Veelo wrote on Sat, May 04, 2013 at 22:58:52 +0200:
> > # Heruistics to determine if file is binary.
> > #
> > # Take the paranoid approch, everything is binary, unless otherwise
> > # stated If svn:eol-style is set, it is text If svn:mime-type is
> > # text/*, it is text a configurable file glob list (extensions, *.txt,
> > # etc) that are text (defined on the command line)
> > sub file_is_binary {
> > my $file = shift;
> > if (has_svn_property($file, "svn:eol-style")) {
> > return 0;
> > }
> > if (has_svn_property($file, "svn:mime-type")) {
> > my ($mimetype) = read_from_process("$svnlook propget $flag $value $repos svn:mime-type \"$file\"");
>
> That's a major security hole: an authenticated committer is able to run
> arbitrary commands in the context of the OS user whom the commit process
> runs as. (In particular, they can run 'rm -rf $repos' if they guess the
> path to $repos.)
>
> You need to escape $file properly. Probably by using the N-arguments
> syntax of system() or open(), plus a '--' sentinel in svnlook's argv.

Specifically, it'll be something like this:

svn mkdir --parents -mm $REPOS_URL/dir-i-can-commit-to/%3b%20rm%20-rf%20/%3b%3a

Daniel
(you need the second %3b to ensure the trailing slash doesn't get stripped as
part of path canonicalization. %3b at the end makes the pipe exit code zero.)
Received on 2013-05-05 02:19:26 CEST

This is an archived mail posted to the Subversion Dev mailing list.