RE: Proposal: new fsfs.conf properties
From: Markus Schaber <m.schaber_at_codesys.com>
Date: Wed, 12 Jul 2017 11:43:10 +0000
From: Johan Corveleyn [mailto:jcorvel_at_gmail.com]
A malicious user can always "explode" the server by just uploading/overwriting huge random files. Using svnmucc and a unix pipe, he doesn't even need a local file or working copy for that.
Thus, I think listening to a client hint in general will not open a completely new security hole. SVN repositories are a kind of data storage, and we cannot prevent users from abusing it by storing data...
> In fact, making it coupled with "client also non-deltifies" forces the client
Yes, I think allowing deltification for the client while storing non-deltified on the server amplifies the possible attack, so we should be careful.
Could the server use the already pre-deltified and -compressed representation coming from the client, without compressing and re-deltifying itself (but still verifying it, of course).
On the other hand, I'd also hesitate to automatically skip deltification and compression just because the client delivers uncompressed or non-deltified content. This will effectively disable deltification and compression for svnmucc, DAV-autoversioning and maybe some other use cases.
CODESYS® a trademark of 3S-Smart Software Solutions GmbH
Inspiring Automation Solutions
3S-Smart Software Solutions GmbH
Managing Directors: Dipl.Inf. Dieter Hess, Dipl.Inf. Manfred Werner | Trade register: Kempten HRB 6186 | Tax ID No.: DE 167014915
This e-mail may contain confidential and/or privileged information. If you are not the intended recipient (or have received
This is an archived mail posted to the Subversion Dev mailing list.