[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: Subversion fails to checkout new working set when $HOME is automounted

From: Daniel Shahaf <d.s_at_daniel.shahaf.name>
Date: Thu, 23 Jan 2020 18:40:56 +0000

Vincent Lefevre wrote on Thu, 23 Jan 2020 15:50 +0100:
> On 2020-01-23 12:44:02 +0100, Joerg Wunsch wrote:
> > If the automounter already yields ENOENT for the ../.svn directory
> > probe, everything is not going to be a problem. I think the point here
> > is the automounter (eventually, after "thinking" about it for about 1
> > s) offers a successful stat() result for ../.svn (probably because
> > that directory *might be* a possible mount point for the automounter)
> > but then yields EIO when trying to access anything within that
> > ficticous directory (because nothing is actually mounted there).
>
> Do you mean that Subversion tries to go higher in the hierarchy
> without checking the owner of the directory? If it does, this is
> a security issue.

How so? What's the attacker model? What can someone leverage this
feature of Subversion to do that they couldn't do without it?
Received on 2020-01-23 19:41:05 CET

This is an archived mail posted to the Subversion Users mailing list.