You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@subversion.apache.org by Ben Collins-Sussman <su...@red-bean.com> on 2008/05/26 00:22:56 UTC
Re: [Issue 1796] defective or malicious client can corrupt repository log messages
On Sun, May 25, 2008 at 7:04 PM, Neels Janosch Hofmeyr <ne...@elego.de> wrote:
> (1) libsvn_repos:
> (i) accepts inconsistent line ending styles in log messages and writes
> them to the repos,
> (ii) accepts invalid UTF-8 octets in log messages and writes them to
> the repos, and that
Is this really true? My memory tells me that we were doing *server*
side enforcement of log-message content, not client side.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Re: [Issue 1796] defective or malicious client can corrupt repository
log messages
Posted by Neels Janosch Hofmeyr <ne...@elego.de>.
Sorry, I meant to point you at
http://subversion.tigris.org/issues/show_bug.cgi?id=1796
and
http://subversion.tigris.org/servlets/ReadMsg?listName=dev&msgNo=139063
instead...
Proving that server side enforcement does not happen involves making a
malicious client, as you can read in the comments on the issue.
Neels Janosch Hofmeyr wrote:
> Ben Collins-Sussman wrote:
>
>> On Sun, May 25, 2008 at 7:04 PM, Neels Janosch Hofmeyr <ne...@elego.de> wrote:
>>
>>
>>
>>> (1) libsvn_repos:
>>> (i) accepts inconsistent line ending styles in log messages and writes
>>> them to the repos,
>>> (ii) accepts invalid UTF-8 octets in log messages and writes them to
>>> the repos, and that
>>>
>>>
>> Is this really true? My memory tells me that we were doing *server*
>> side enforcement of log-message content, not client side.
>>
>>
> If you can reproduce the tests as listed in the mails
>
> http://subversion.tigris.org/servlets/ReadMsg?listName=dev&msgNo=139045
> http://subversion.tigris.org/servlets/ReadMsg?listName=dev&msgNo=139067
> http://subversion.tigris.org/servlets/ReadMsg?listName=dev&msgNo=139102
>
> , then your memory has it the wrong way around. The server does no
> enforcement of log message content whatsoever, as is probably true for
> all props, concerning UTF-8 encoding and LF line feeds. This is what my
> findings suggest.
>
> I am busy on a patch to improve on that...
>
>
--
Neels Hofmeyr -- elego Software Solutions GmbH
Gustav-Meyer-Allee 25 / Gebäude 12, 13355 Berlin, Germany
phone: +49 30 23458696 mobile: +49 177 2345869 fax: +49 30 23458695
http://www.elegosoft.com | Geschäftsführer: Olaf Wagner | Sitz: Berlin
Handelsreg: Amtsgericht Charlottenburg HRB 77719 | USt-IdNr: DE163214194
Re: [Issue 1796] defective or malicious client can corrupt repository
log messages
Posted by Neels Janosch Hofmeyr <ne...@elego.de>.
Ben Collins-Sussman wrote:
> On Sun, May 25, 2008 at 7:04 PM, Neels Janosch Hofmeyr <ne...@elego.de> wrote:
>
>
>> (1) libsvn_repos:
>> (i) accepts inconsistent line ending styles in log messages and writes
>> them to the repos,
>> (ii) accepts invalid UTF-8 octets in log messages and writes them to
>> the repos, and that
>>
>
> Is this really true? My memory tells me that we were doing *server*
> side enforcement of log-message content, not client side.
>
If you can reproduce the tests as listed in the mails
http://subversion.tigris.org/servlets/ReadMsg?listName=dev&msgNo=139045
http://subversion.tigris.org/servlets/ReadMsg?listName=dev&msgNo=139067
http://subversion.tigris.org/servlets/ReadMsg?listName=dev&msgNo=139102
, then your memory has it the wrong way around. The server does no
enforcement of log message content whatsoever, as is probably true for
all props, concerning UTF-8 encoding and LF line feeds. This is what my
findings suggest.
I am busy on a patch to improve on that...
--
Neels Hofmeyr -- elego Software Solutions GmbH
Gustav-Meyer-Allee 25 / Gebäude 12, 13355 Berlin, Germany
phone: +49 30 23458696 mobile: +49 177 2345869 fax: +49 30 23458695
http://www.elegosoft.com | Geschäftsführer: Olaf Wagner | Sitz: Berlin
Handelsreg: Amtsgericht Charlottenburg HRB 77719 | USt-IdNr: DE163214194