You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@subversion.apache.org by Peter Samuelson <pe...@p12n.org> on 2008/07/01 04:24:42 UTC

[PATCH] Simpler and safer DAV proxy sync script

Is there any reason not to recommend this much simpler procedure for
DAV mirroring?  It is not only simpler and faster, but closes a
security hole in temp file handling on the master.
-- 
Peter Samuelson | org-tld!p12n!peter | http://p12n.org/

[[[
Use a simple pipe for svnadmin dump / load in the WebDAV proxy
example scripts, instead of temporary files.

* notes/webdav-proxy: Rewrite mirror hook example to use a pipe instead
    of a temp file.  Also use -q in svnadmin dump|load, because nobody
    needs to see the verbose output.

* www/svn_1.5_releasenotes.html (webdav-proxy-example): Likewise.
]]]

Index: www/svn_1.5_releasenotes.html
===================================================================
--- www/svn_1.5_releasenotes.html	(revisione 31895)
+++ www/svn_1.5_releasenotes.html	(copia locale)
@@ -1164,11 +1164,9 @@
    SLAVE_PATH=/my/local/copy/of/repos
 
    # Ensure svnadmin is in $PATH on both this machine and the remote server!
-   svnadmin dump --incremental -r$2 $1 &gt; /tmp/$2.dump
-   scp /tmp/$2.dump $SLAVE_HOST:$SLAVE_PATH
-   ssh $SLAVE_HOST "svnadmin load $SLAVE_PATH &lt; $SLAVE_PATH/$2.dump"
-   ssh $SLAVE_HOST "rm $SLAVE_PATH/$2.dump"
-   rm /tmp/$2.dump
+
+   svnadmin dump -q --incremental -r$REV "$REPOS" |
+     ssh $SLAVE_HOST "svnadmin load -q $SLAVE_PATH"
 </code></pre>
 
 </div>  <!-- webdav-proxy-example -->
Index: notes/webdav-proxy
===================================================================
--- notes/webdav-proxy	(revisione 31895)
+++ notes/webdav-proxy	(copia locale)
@@ -62,11 +62,8 @@
 SLAVE_PATH=/my/local/copy/of/repos
 
 # Ensure svnadmin is in your PATH on both this machine and the remote server!
-svnadmin dump --incremental -r$2 $1 > /tmp/$2.dump
-scp /tmp/$2.dump $SLAVE_HOST:$SLAVE_PATH
-ssh $SLAVE_HOST "svnadmin load $SLAVE_PATH < $SLAVE_PATH/$2.dump"
-ssh $SLAVE_HOST "rm $SLAVE_PATH/$2.dump"
-rm /tmp/$2.dump
+svnadmin dump -q --incremental -r$REV "$REPOS" |
+  ssh $SLAVE_HOST "svnadmin load -q $SLAVE_PATH"
 ----
 
 Issues/Thoughts:

Re: [PATCH] Simpler and safer DAV proxy sync script

Posted by Peter Samuelson <pe...@p12n.org>.

[Karl Fogel]
> Looks reasonable to me.  (Did you actually test it, though?)

I did not - but (a) piping svnadmin dump -q to svnadmin load -q, and
(b) piping commands to each other through ssh (which is 8-bit-clean
when used in this manner), are both things I do often.

I can test it when I set up a DAV proxy here at work, which I plan to
do anyway sometime this week.
-- 
Peter Samuelson | org-tld!p12n!peter | http://p12n.org/

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org

Re: [PATCH] Simpler and safer DAV proxy sync script

Posted by "C. Michael Pilato" <cm...@collab.net>.

Mark Phippard wrote:
> On Tue, Jul 1, 2008 at 11:22 AM, Karl Fogel <kf...@red-bean.com> wrote:
>> Peter Samuelson <pe...@p12n.org> writes:
>>> Is there any reason not to recommend this much simpler procedure for
>>> DAV mirroring?  It is not only simpler and faster, but closes a
>>> security hole in temp file handling on the master.
>> Looks reasonable to me.  (Did you actually test it, though?)
> 
> Do we have a script that uses svnsync?  I recall this script pre-dated
> svnsync being available as an option.  I just do not see why we would
> promote any other option.

The Book recommends using svnsync, so I don't mind if our notes demonstrate 
yet another way of doing this.

-- 
C. Michael Pilato <cm...@collab.net>
CollabNet   <>   www.collab.net   <>   Distributed Development On Demand

Re: [PATCH] Simpler and safer DAV proxy sync script

Posted by Mark Phippard <ma...@gmail.com>.

On Tue, Jul 1, 2008 at 11:22 AM, Karl Fogel <kf...@red-bean.com> wrote:
> Peter Samuelson <pe...@p12n.org> writes:
>> Is there any reason not to recommend this much simpler procedure for
>> DAV mirroring?  It is not only simpler and faster, but closes a
>> security hole in temp file handling on the master.
>
> Looks reasonable to me.  (Did you actually test it, though?)

Do we have a script that uses svnsync?  I recall this script pre-dated
svnsync being available as an option.  I just do not see why we would
promote any other option.

-- 
Thanks

Mark Phippard
http://markphip.blogspot.com/

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org

Re: [PATCH] Simpler and safer DAV proxy sync script

Posted by Karl Fogel <kf...@red-bean.com>.

Peter Samuelson <pe...@p12n.org> writes:
> Is there any reason not to recommend this much simpler procedure for
> DAV mirroring?  It is not only simpler and faster, but closes a
> security hole in temp file handling on the master.

Looks reasonable to me.  (Did you actually test it, though?)

> [[[
> Use a simple pipe for svnadmin dump / load in the WebDAV proxy
> example scripts, instead of temporary files.
>
> * notes/webdav-proxy: Rewrite mirror hook example to use a pipe instead
>     of a temp file.  Also use -q in svnadmin dump|load, because nobody
>     needs to see the verbose output.
>
> * www/svn_1.5_releasenotes.html (webdav-proxy-example): Likewise.
> ]]]
>
> Index: www/svn_1.5_releasenotes.html
> ===================================================================
> --- www/svn_1.5_releasenotes.html	(revisione 31895)
> +++ www/svn_1.5_releasenotes.html	(copia locale)
> @@ -1164,11 +1164,9 @@
>     SLAVE_PATH=/my/local/copy/of/repos
>  
>     # Ensure svnadmin is in $PATH on both this machine and the remote server!
> -   svnadmin dump --incremental -r$2 $1 &gt; /tmp/$2.dump
> -   scp /tmp/$2.dump $SLAVE_HOST:$SLAVE_PATH
> -   ssh $SLAVE_HOST "svnadmin load $SLAVE_PATH &lt; $SLAVE_PATH/$2.dump"
> -   ssh $SLAVE_HOST "rm $SLAVE_PATH/$2.dump"
> -   rm /tmp/$2.dump
> +
> +   svnadmin dump -q --incremental -r$REV "$REPOS" |
> +     ssh $SLAVE_HOST "svnadmin load -q $SLAVE_PATH"
>  </code></pre>
>  
>  </div>  <!-- webdav-proxy-example -->
> Index: notes/webdav-proxy
> ===================================================================
> --- notes/webdav-proxy	(revisione 31895)
> +++ notes/webdav-proxy	(copia locale)
> @@ -62,11 +62,8 @@
>  SLAVE_PATH=/my/local/copy/of/repos
>  
>  # Ensure svnadmin is in your PATH on both this machine and the remote server!
> -svnadmin dump --incremental -r$2 $1 > /tmp/$2.dump
> -scp /tmp/$2.dump $SLAVE_HOST:$SLAVE_PATH
> -ssh $SLAVE_HOST "svnadmin load $SLAVE_PATH < $SLAVE_PATH/$2.dump"
> -ssh $SLAVE_HOST "rm $SLAVE_PATH/$2.dump"
> -rm /tmp/$2.dump
> +svnadmin dump -q --incremental -r$REV "$REPOS" |
> +  ssh $SLAVE_HOST "svnadmin load -q $SLAVE_PATH"
>  ----
>  
>  Issues/Thoughts:

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org