[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: Content scanning during checkout/update

From: Ryan Schmidt <subversion-2011a_at_ryandesign.com>
Date: Tue, 19 Jul 2011 12:02:59 -0500

On Jul 19, 2011, at 07:06, Toplak Daniel wrote:

> I want to implement a server side scanning for malicious content in both ways: when commits arrive and when checkouts updates are send to the client.
> The first way is running fine via a pre-commit hook which extracts the content from the transaction and scan the content with clamav.
>
> My problem is to get the 2nd thing working.

Right, that's more difficult since Subversion doesn't have a pre- or post-checkout or -update hook.

I wrote a script to help you fake it, if you're serving the repository using Apache:

http://www.ryandesign.com/svnhookdispatcher/

This wouldn't prevent someone from checking out or updating, but would give you a chance to run a script on the server when they do. If the script finds something it needs to alert the user about, it could do so using external means, like by sending them an email or an instant message.

But why is it that you want to scan not only at commit time but also at checkout/update time? If you scan files for malicious content at commit, isn't that enough? Once you've verified the commit is clean, it'll stay clean; revisions can't be modified later. Or are you worried that someone commits some new malware that's not yet identified by your scanning software, and you want to scan it again later with updated versions of the scanning software?
Received on 2011-07-19 19:03:39 CEST

This is an archived mail posted to the Subversion Users mailing list.