Security issue: $PATH _is_ set in pre-lock hook (Subversion 1.7)

From: Julian Ruhe <julian.ruhe_at_gmail.com>
Date: Thu, 24 Jul 2014 16:16:31 +0200

All of the sudden, starting somewhere prior to 1.7.13, the $PATH variable
is set, although the svnbook states
"For security reasons, the Subversion repository executes hook programs
with an empty environment—that is, no environment variables are set at all,
not even $PATH (or %PATH%, under Windows)."

env 1>&2
svn --version 1>&2
echo $PATH 1>&2
exit 1

==================================

svn: E165001: Lock blocked by pre-lock hook (exit code 1) with output:
LANG=en_US.utf-8
PWD=/
LC_ALL=en_US.utf-8

svn, version 1.7.17 (r1591372)
compiled Jun 17 2014, 14:13:29

Copyright (C) 2014 The Apache Software Foundation.
This software consists of contributions made by many people; see the NOTICE
file for more information.
Subversion is open source software, see http://subversion.apache.org/

The following repository access (RA) modules are available:

* ra_svn : Module for accessing a repository using the svn network protocol.
- handles 'svn' scheme
* ra_local : Module for accessing a repository on local disk.
- handles 'file' scheme

/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin

=====

Testet with 1.7.17 debian/compiled, 1.7.13 RHEL 6,4 CollabNet

Greetings,
J.Ruhe
Received on 2014-07-25 08:33:47 CEST

This message: [ Message body ]
Next message: merch store: "Re: http-request PUT"
Previous message: Ben Reser: "Re: http-request PUT"
Next in thread: Philip Martin: "Re: Security issue: $PATH _is_ set in pre-lock hook (Subversion 1.7)"
Reply: Philip Martin: "Re: Security issue: $PATH _is_ set in pre-lock hook (Subversion 1.7)"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]