[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Security issue: $PATH _is_ set in pre-lock hook (Subversion 1.7)

From: Julian Ruhe <julian.ruhe_at_gmail.com>
Date: Thu, 24 Jul 2014 16:16:31 +0200

All of the sudden, starting somewhere prior to 1.7.13, the $PATH variable
is set, although the svnbook states
"For security reasons, the Subversion repository executes hook programs
with an empty environment—that is, no environment variables are set at all,
not even $PATH (or %PATH%, under Windows)."

env 1>&2
svn --version 1>&2
echo $PATH 1>&2
exit 1

==================================

svn: E165001: Lock blocked by pre-lock hook (exit code 1) with output:
LANG=en_US.utf-8
PWD=/
LC_ALL=en_US.utf-8

svn, version 1.7.17 (r1591372)
   compiled Jun 17 2014, 14:13:29

Copyright (C) 2014 The Apache Software Foundation.
This software consists of contributions made by many people; see the NOTICE
file for more information.
Subversion is open source software, see http://subversion.apache.org/

The following repository access (RA) modules are available:

* ra_svn : Module for accessing a repository using the svn network protocol.
  - handles 'svn' scheme
* ra_local : Module for accessing a repository on local disk.
  - handles 'file' scheme

/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin

=====

Testet with 1.7.17 debian/compiled, 1.7.13 RHEL 6,4 CollabNet

Greetings,
J.Ruhe
Received on 2014-07-25 08:33:47 CEST

This is an archived mail posted to the Subversion Users mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.