You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@subversion.apache.org by Michael Sinz <Mi...@sinz.org> on 2005/10/23 03:33:54 UTC

[PATCH] fix handling of files/dirs with ":" in mod_dav_svn index listing

In mod_dav_svn the returned links (and XML href attributes) need to be escaped
for correct relative URL/URI support as per RFC 1808 [1]

All but one case is currently handled via the use of ap_escape_uri() within
mod_dav_svn.  The case is that of a file or directory that contains a ":"
character. [2]

The ":" character has special meaning before the first "/" character.  If a ":"
is encountered before the first "/" then the text before the ":" is the scheme
or protocol.  (http:, ftp:, etc)  Because full URLs (or URIs) can be escaped,
there is no way for the ap_escape_uri() function to know what to do with a ":"

However, Apache has the ap_os_escape_path() call (which is what ap_escape_uri()
really devolves into) with a 3rd parameter that tells it to treat the path as
something that will not be prepended with a full scheme://host/ syntax.  When
used in this context, the code checks if there is a ":" before the first "/"
and if so will prepend to the URL a "./" in order to render the ":" inert.

This fix should also be considered for a backport to 1.3.x and 1.2.x as it
has a security implication.  Namely, since currently mod_dav_svn does not
escape the links with ":" correctly, someone can put into the repository
a malicious link using whatever scheme is desired.

See thread starting at http://svn.haxx.se/dev/archive-2005-10/1058.shtml
for more details.

[1] see http://www.faqs.org/rfcs/rfc1808.html
[2] we ignore the issue of an entry with "/" in it since that is generally not
     accepted.  If that needs to be supported there are *many* other problems.

ps - I did not change the tabs within the file to spaces but there are some
lines in mod_dav_svn that are indented with tabs rather than spaces.  I did not
feel that this patch should address such a nit.

------------------------------------------------------------------

[[[
Fix mod_dav_svn such that files and directories with ":" in their names are
correctly escaped when returned in the HTML and XML output.  Without this fix
the links to those files and directories are invalid.

* subversion/mod_dav_svn/repos.c
   (dav_svn_deliver): When escaping the href use ap_os_escape_path( , , 0) which
     will prepend "./" to the href if there is a ":" before the first "/" rather
     than using ap_escape_uri() which does not do the prepending.
]]]

Index: subversion/mod_dav_svn/repos.c
===================================================================
--- subversion/mod_dav_svn/repos.c      (revision 16897)
+++ subversion/mod_dav_svn/repos.c      (working copy)
@@ -2458,7 +2458,7 @@
         /* We quote special characters in both XML and HTML. */
         name = apr_xml_quote_string(entry_pool, name, !gen_html);

-        href = ap_escape_uri(entry_pool, href);
+        href = ap_os_escape_path(entry_pool, href, 0);
         href = apr_xml_quote_string(entry_pool, href, 1);

          if (gen_html)

-- 
Michael Sinz                     Technology and Engineering Director/Consultant
"Starting Startups"                                mailto:michael.sinz@sinz.org
My place on the web                            http://www.sinz.org/Michael.Sinz

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org