You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@subversion.apache.org by Blair Zajac <bl...@orcaware.com> on 2012/07/27 01:46:57 UTC

Re: svn commit: r1366209 - in /subversion/trunk/subversion: libsvn_wc/externals.c tests/libsvn_client/client-test.c

On 07/26/2012 03:04 PM, rhuijben@apache.org wrote:
> Author: rhuijben
> Date: Thu Jul 26 22:04:03 2012
> New Revision: 1366209
>
> URL: http://svn.apache.org/viewvc?rev=1366209&view=rev
> Log:
> * subversion/libsvn_wc/externals.c
>    (svn_wc__resolve_relative_external_url):
>      Deny /../ syntax in urls in externals. Stepping over the
>      root of a server is not possible.

The first sentence sounds like no /../ are allowed in any external URLs 
which isn't the case, it appears with your change they are not allowed 
anywhere for any scheme or server root relative path, just just past the 
first two characters.

Blair

RE: svn commit: r1366209 - in /subversion/trunk/subversion: libsvn_wc/externals.c tests/libsvn_client/client-test.c

Posted by Bert Huijben <be...@qqmail.nl>.

> -----Original Message-----
> From: Blair Zajac [mailto:blair@orcaware.com]
> Sent: vrijdag 27 juli 2012 01:47
> To: rhuijben@apache.org
> Cc: dev@subversion.apache.org
> Subject: Re: svn commit: r1366209 - in /subversion/trunk/subversion:
> libsvn_wc/externals.c tests/libsvn_client/client-test.c
> 
> On 07/26/2012 03:04 PM, rhuijben@apache.org wrote:
> > Author: rhuijben
> > Date: Thu Jul 26 22:04:03 2012
> > New Revision: 1366209
> >
> > URL: http://svn.apache.org/viewvc?rev=1366209&view=rev
> > Log:
> > * subversion/libsvn_wc/externals.c
> >    (svn_wc__resolve_relative_external_url):
> >      Deny /../ syntax in urls in externals. Stepping over the
> >      root of a server is not possible.
> 
> The first sentence sounds like no /../ are allowed in any external URLs
> which isn't the case, it appears with your change they are not allowed
> anywhere for any scheme or server root relative path, just just past the
> first two characters.

Hmm, not sure how to put it in a log message, but this is specifically about
/../something/style
relative paths.

We already denied
//../url

And 
/url/../../path

While we (via a different code path) do allow ../../../some/dir and ^/../../some/dir

The +2 which I removed with my patch was originally added to allow the // and ^/ paths to skip the relpath rules. But since they now use a different code path I re-enabled the original check to disallow /../

With the specific /../something/style url we would generate
http://svn.apache.org/../something/style (assuming a current repository of http://svn.apache.org/repos/asf)
urls, which should (as far as I can tell) never work and are certainly not recommended.

	Bert