[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

svn+ssh://: preventing post-commit from running

From: Daniel Shahaf <d.s_at_daniel.shahaf.name>
Date: Sat, 22 Oct 2016 12:18:23 +0000

When using svn+ssh://, if the ssh session is killed whilst rep-cache.db
is being written to, then the post-commit hook won't run.

The problem is that a malicious committer could intentionally kill the
ssh session at that point in time, to prevent post-commit emails from
being sent, and so on.

Proof of concept:

% rm -rf r
% svnadmin create r
% printf '%s\n' '#!/bin/sh' 'touch /tmp/good' > r/hooks/post-commit
% chmod +x r/hooks/post-commit
% rm -f /tmp/good
%
% svnmucc put -mm r/README.txt file://$PWD/r/$RANDOM # creates rep-cache.db
% rm /tmp/good
%
% sqlite3 r/db/rep-cache.db
sqlite> begin immediate transaction;
sqlite> ^Z
zsh: suspended sqlite3 r/db/rep-cache.db
% svnmucc put -mm =(date; echo $RANDOM) svn+ssh://localhost/$PWD/r/$RANDOM
daniel_at_localhost's password:
^Z
zsh: suspended svnmucc put -mm =(date; echo $RANDOM) svn+ssh://localhost/$PWD/r/$RANDOM
% pkill -x ssh
% rm /tmp/good
rm: cannot remove ‘/tmp/good’: No such file or directory
zsh: exit 1 rm /tmp/good
Received on 2016-10-22 14:20:22 CEST

This is an archived mail posted to the Subversion Dev mailing list.