With apache 2.4.7 and subversion 1.8.8 (as in the not-yet-released ubuntu 14.04
as of today), we see PROPFIND responses that have:
(REQUEST:
PROPFIND /svn/ HTTP/1.1
User-Agent: cadaver/0.23.3 neon/0.29.1
[...]
<?xml version="1.0" encoding="utf-8"?>
<propfind xmlns="DAV:"><prop>
<getcontentlength xmlns="DAV:"/>
<getlastmodified xmlns="DAV:"/>
<executable xmlns="http://apache.org/dav/props/"/>
<resourcetype xmlns="DAV:"/>
<checked-in xmlns="DAV:"/>
<checked-out xmlns="DAV:"/>
</prop></propfind>)
RESPONSE:
HTTP/1.1 207 Multi-Status
Date: Wed, 26 Feb 2014 08:40:23 GMT
Server: Apache/2.4.7 (Ubuntu)
Content-Length: 2549
Content-Type: text/xml; charset="utf-8"
<?xml version="1.0" encoding="utf-8"?>
<D:multistatus xmlns:D="DAV:" xmlns:ns1="http://apache.org/dav/props/" xmlns:ns0="DAV:">
[...]
<D:response xmlns:lp1="DAV:" xmlns:lp3="http://subversion.tigris.org/xmlns/dav/" xmlns:g0="http://apache.org/dav/props/" xmlns:g1="DAV:">
⇨ <D:href>/svn/a>b</D:href>
[...]
<lp1:checked-in><D:href>/svn/!svn/ver/3/a%3Eb</D:href></lp1:checked-in>
[...]
</D:response>
<D:response xmlns:lp1="DAV:" xmlns:lp3="http://subversion.tigris.org/xmlns/dav/" xmlns:g0="DAV:" xmlns:g1="http://apache.org/dav/props/">
⇨ <D:href>/svn/A B/</D:href>
[...]
<D:response xmlns:lp1="DAV:" xmlns:lp3="http://subversion.tigris.org/xmlns/dav/" xmlns:g0="http://apache.org/dav/props/" xmlns:g1="DAV:">
⇨ <D:href>/svn/%2F</D:href>
Those are files called "a>b", "A B" and "%2F" stored in the repository. The <D:href> should have been encoded to:
⇨ <D:href>/svn/a%3Eb</D:href>
⇨ <D:href>/svn/A%20B/</D:href>
⇨ <D:href>/svn/%252F</D:href>
and cause the clients to fail to parse the response properly.
Newer subversion clients no longer use PROPFIND, but that bug
can be seen when using older subversion clients (like 1.6.17) or
using other DAV clients (like cadaver above).
dav_fs doesn't have the same problem. I suspect the bug was introduced by the fix to
https://issues.apache.org/bugzilla/show_bug.cgi?id=55397 which
no longer encodes URIs coming from the provider
(https://svn.apache.org/viewvc?view=revision&revision=1529559)
To reproduce:
On a Ubuntu 14.04 test machine:
apt-get install apache2 subversion libapache2-mod-svn
a2enmod dav_svn
svnadmin create /srv/svn
chown -R www-data: /srv/svn
cat > /etc/apache2/mods-available/dav_svn.conf << EOF
<Location /svn>
DAV svn
SVNPath /srv/svn
</Location>
EOF
service apache2 restart
Populate the repository with:
svn co http://server/svn test
cd test
echo test > 'A B'
svn add 'A B'
svn ci -m m
Then:
telnet server 80
PROPFIND /svn/A%20B HTTP/1.1
Host: server
Connection: close
(or use cadaver or other DAV client, or svn log 'A B' with a 1.6 client).
Additional information:
That bug was raised at ubuntu at:
https://bugs.launchpad.net/ubuntu/+source/subversion/+bug/1284641
https://issues.apache.org/bugzilla/show_bug.cgi?id=55397 is a
followup on
https://issues.apache.org/bugzilla/show_bug.cgi?id=54367
https://issues.apache.org/bugzilla/show_bug.cgi?id=54611
whose fix itself had broken earlier versions of dav_svn by causing
Location headers to be URI-encoded twice (which you can observe
by doing a CHECKOUT with a subversion client 1.6.17 on a ubuntu
13.10 server (apache 2.4.6 with dav_svn 1.7.9) on a filename
with spaces).
I could be that that still applies in svn 1.8.8 with apache 2.4.7 but I could
not test it because of the other bug (the one I'm reporting here) which
triggers sooner so the CHECKOUT is never sent by the client.
Best regards,
Stephane
Received on 2014-02-26 22:52:07 CET