Re: Logging Subversion client HTTP requests

From: Ryan Schmidt <subversion-2011a_at_ryandesign.com>
Date: Mon, 1 Aug 2011 02:50:57 -0500

On Aug 1, 2011, at 01:57, Markus Schaber wrote:
> Ryan Schmidt wrote:
>>
>> Don't reinvent the wheel, because you probably
>> won't get it quite right, and you'll cause weird error messages or
>> possibly even repository corruption.
>
> Hmm. For http(s)://, svn:// and well set-up svn+ssh:// servers, he
> should not be able to create repository corruption, right? I would
> consider everything else to be a serious security bug in subversion.
>
> For file://, this is a completely different game, I guess. :-)

I would hope so. I know Subversion has a test suite which should ensure its reliability. But I can't guarantee for certain that some unexpected input that nobody has tested before (i.e. input that no existing Subversion client could generate, because the library just wouldn't do that) might cause a Subversion server to do something unexpected, like crash or write wrong data somewhere.

I've seen it in other (less-meticulously-developed) projects before. I was trying to debug some endian issues in a program to log in to a closed-source game server, and the unexpectedly endian-reversed bytes caused the game's auth server to crash.

Buffer overflows and other vulnerabilities that can cause crashes or unexpected operation are constantly being discovered in all kinds of software, and I can't say for certain that Subversion doesn't have any.
Received on 2011-08-01 09:52:01 CEST

This message: [ Message body ]
Next message: ehuels_at_gmail.com: "RE: gzip compression (was: Re: Logging Subversion client HTTP requests)"
Previous message: Ryan Schmidt: "Re: gzip compression (was: Re: Logging Subversion client HTTP requests)"
In reply to: Markus Schaber: "AW: Logging Subversion client HTTP requests"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]