You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@subversion.apache.org by kf...@collab.net on 2004/09/14 00:09:21 UTC

Re: svn commit: r10939 - trunk/subversion/svnserve

lundblad@tigris.org writes:
> --- trunk/subversion/svnserve/serve.c	(original)
> +++ trunk/subversion/svnserve/serve.c	Mon Sep 13 15:04:53 2004
> @@ -1162,8 +1162,15 @@
>          ++path;
>  
>        /* Check for '..'. */
> +#if WIN32
> +      /* On Windows, don't allow sequences of more than one character
> +         consisting of just dots and spaces. */
> +      if (path - s >= 2 && strspn(s, ". ") == path - s)
> +        return FALSE;
> +#else  /* ! WIN32 */
>        if (path - s == 2 && s[0] == '.' && s[1] == '.')
>          return FALSE;
> +#endif

Could the comment maybe explain why this is desirable?

Thanks,
-Karl

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org

Re: svn commit: r10939 - trunk/subversion/svnserve

Posted by Martin Tomes <li...@tomes.org>.

Peter N. Lundblad wrote:
> On Tue, 13 Sep 2004 kfogel@collab.net wrote:
>>lundblad@tigris.org writes:
>>
>>>--- trunk/subversion/svnserve/serve.c	(original)
>>>+++ trunk/subversion/svnserve/serve.c	Mon Sep 13 15:04:53 2004
>>>@@ -1162,8 +1162,15 @@
>>>         ++path;
>>>
>>>       /* Check for '..'. */
>>
>>Could the comment maybe explain why this is desirable?

My guess is that it closes a security hole - but I am guessing here:-)

-- 
Martin Tomes
echo 'martin at tomes x org x uk'\
  | sed -e 's/ x /\./g' -e 's/ at /@/'

The Subversion Wiki is at http://www.subversionary.org/

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org

Re: svn commit: r10939 - trunk/subversion/svnserve

Posted by "Peter N. Lundblad" <pe...@famlundblad.se>.

On Tue, 13 Sep 2004 kfogel@collab.net wrote:

> lundblad@tigris.org writes:
> > --- trunk/subversion/svnserve/serve.c	(original)
> > +++ trunk/subversion/svnserve/serve.c	Mon Sep 13 15:04:53 2004
> > @@ -1162,8 +1162,15 @@
> >          ++path;
> >
> >        /* Check for '..'. */
> > +#if WIN32
> > +      /* On Windows, don't allow sequences of more than one character
> > +         consisting of just dots and spaces. */
> > +      if (path - s >= 2 && strspn(s, ". ") == path - s)
> > +        return FALSE;
> > +#else  /* ! WIN32 */
> >        if (path - s == 2 && s[0] == '.' && s[1] == '.')
> >          return FALSE;
> > +#endif
>
> Could the comment maybe explain why this is desirable?
>
r10954.

Regards,
//Peter

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org