You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@subversion.apache.org by plasma <pl...@pchome.com.tw> on 2004/01/25 02:39:05 UTC
Showing full pathname of repo
Hi all,
I just ran into this command:
plasma@plasmanb:~> svn log -r 9900 -v http://svn.elixus.org/repos/
subversion/libsvn_ra_dav/util.c:661: (apr_err=160006)
svn: PROPFIND request failed on '/repos/!svn/vcc/default'
subversion/libsvn_ra_dav/util.c:359: (apr_err=160006)
svn:
reference to non-existent revision '9900' in filesystem '/home/svnrepos/repos/db'
And I noticed the full pathname of repository is shown. Is this a
good idea to reveal the full pathname of repository?
plasma
==========================================================
���k���k���}�K�O�ݹq�v
http://edm-prg.epaper.com.tw/click.php?ad_code=57497
==========================================================
PChome���~~���֤ѤѦ� \*^o^*//
http://love.pchome.com.tw/
==========================================================
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Re: Showing full pathname of repo
Posted by Ben Reser <be...@reser.org>.
On Sun, Jan 25, 2004 at 10:39:05AM +0800, plasma wrote:
> I just ran into this command:
>
> plasma@plasmanb:~> svn log -r 9900 -v http://svn.elixus.org/repos/
> subversion/libsvn_ra_dav/util.c:661: (apr_err=160006)
> svn: PROPFIND request failed on '/repos/!svn/vcc/default'
> subversion/libsvn_ra_dav/util.c:359: (apr_err=160006)
> svn:
> reference to non-existent revision '9900' in filesystem '/home/svnrepos/repos/db'
>
> And I noticed the full pathname of repository is shown. Is this a
> good idea to reveal the full pathname of repository?
Probably not a great idea no.
--
Ben Reser <be...@reser.org>
http://ben.reser.org
"Conscience is the inner voice which warns us somebody may be looking."
- H.L. Mencken
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Re: Showing full pathname of repo
Posted by Mark Benedetto King <mb...@lowlatency.com>.
On Mon, Jan 26, 2004 at 02:31:08AM +0000, Colin Watson wrote:
> On Sun, Jan 25, 2004 at 10:26:30AM -0500, Mark Benedetto King wrote:
> > On Sun, Jan 25, 2004 at 04:11:10AM +0000, Colin Watson wrote:
> > > Surely, if it matters that an attacker knows the path, you've already
> > > lost anyway? I've found the information useful for diagnosing problems
> > > in the past and don't see how it's a vulnerability.
> >
> > Path disclosure is information leakage. There have been vulnerabilities
> > in other software components (Tomcat, for example) that allow you to obtain
> > the full contents of a file if you know its absolute path.
>
> I don't buy that, because I think most attackers would go for more
> interesting system files before they started trying to look for a
> Subversion repository, and the contents of those files may well make it
> irrelevant that you've suppressed useful information in Subversion's
> error messages. For example, on a system with GNU findutils installed I
> can grab /var/cache/locate/locatedb and voil?, I have my list of
> filenames. Like I said above, if it makes a difference that the attacker
> knows the path to your repository then you've already lost the battle by
> allowing them to access arbitrary files, and erecting gauzy barriers of
> obscurity at that point does little practical good.
I agree that Path Disclosure Vulnerabilities are not in-and-of-themselves
as severe as many other types. However, such vulnerabilities are
frequently reported, and are usually followed with a patch that
fixes the problem. Apache 2.0.39 had one, and they had to release
2.0.40 to fix it.
If this is not fixed, then it is only a matter of time before a similar
vulnerability announcement for Subversion hits BugTraq. That inevitable
announcement will color the public's perception of Subversion's quality.
And then we'll probably want to fix the problem. Why wait?
>
> In other words, I don't believe that this is important information
> leakage. To me the debugging usefulness far exceeds the theoretical -
> and, I feel, distinctly dubious - decrease in security.
>
When we plugged the other hole, we sent the full text of the error message
to Apache's logs; that minimized the loss of debugging usefulness.
--ben
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Re: Showing full pathname of repo
Posted by Colin Watson <cj...@flatline.org.uk>.
On Sun, Jan 25, 2004 at 10:26:30AM -0500, Mark Benedetto King wrote:
> On Sun, Jan 25, 2004 at 04:11:10AM +0000, Colin Watson wrote:
> > Surely, if it matters that an attacker knows the path, you've already
> > lost anyway? I've found the information useful for diagnosing problems
> > in the past and don't see how it's a vulnerability.
>
> Path disclosure is information leakage. There have been vulnerabilities
> in other software components (Tomcat, for example) that allow you to obtain
> the full contents of a file if you know its absolute path.
I don't buy that, because I think most attackers would go for more
interesting system files before they started trying to look for a
Subversion repository, and the contents of those files may well make it
irrelevant that you've suppressed useful information in Subversion's
error messages. For example, on a system with GNU findutils installed I
can grab /var/cache/locate/locatedb and voilà, I have my list of
filenames. Like I said above, if it makes a difference that the attacker
knows the path to your repository then you've already lost the battle by
allowing them to access arbitrary files, and erecting gauzy barriers of
obscurity at that point does little practical good.
In other words, I don't believe that this is important information
leakage. To me the debugging usefulness far exceeds the theoretical -
and, I feel, distinctly dubious - decrease in security.
--
Colin Watson [cjwatson@flatline.org.uk]
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Re: Showing full pathname of repo
Posted by Mark Benedetto King <mb...@lowlatency.com>.
On Sun, Jan 25, 2004 at 04:11:10AM +0000, Colin Watson wrote:
> On Sun, Jan 25, 2004 at 10:39:05AM +0800, plasma wrote:
> > I just ran into this command:
> >
> > plasma@plasmanb:~> svn log -r 9900 -v http://svn.elixus.org/repos/
> > subversion/libsvn_ra_dav/util.c:661: (apr_err=160006)
> > svn: PROPFIND request failed on '/repos/!svn/vcc/default'
> > subversion/libsvn_ra_dav/util.c:359: (apr_err=160006)
> > svn:
> > reference to non-existent revision '9900' in filesystem '/home/svnrepos/repos/db'
> >
> > And I noticed the full pathname of repository is shown. Is this a
> > good idea to reveal the full pathname of repository?
>
> Surely, if it matters that an attacker knows the path, you've already
> lost anyway? I've found the information useful for diagnosing problems
> in the past and don't see how it's a vulnerability.
>
Path disclosure is information leakage. There have been vulnerabilities
in other software components (Tomcat, for example) that allow you to obtain
the full contents of a file if you know its absolute path.
--ben
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Re: Showing full pathname of repo
Posted by Colin Watson <cj...@flatline.org.uk>.
On Sun, Jan 25, 2004 at 10:39:05AM +0800, plasma wrote:
> I just ran into this command:
>
> plasma@plasmanb:~> svn log -r 9900 -v http://svn.elixus.org/repos/
> subversion/libsvn_ra_dav/util.c:661: (apr_err=160006)
> svn: PROPFIND request failed on '/repos/!svn/vcc/default'
> subversion/libsvn_ra_dav/util.c:359: (apr_err=160006)
> svn:
> reference to non-existent revision '9900' in filesystem '/home/svnrepos/repos/db'
>
> And I noticed the full pathname of repository is shown. Is this a
> good idea to reveal the full pathname of repository?
Surely, if it matters that an attacker knows the path, you've already
lost anyway? I've found the information useful for diagnosing problems
in the past and don't see how it's a vulnerability.
--
Colin Watson [cjwatson@flatline.org.uk]
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Re: Showing full pathname of repo
Posted by Mark Benedetto King <mb...@lowlatency.com>.
On Sat, Jan 24, 2004 at 09:00:42PM -0600, kfogel@collab.net wrote:
> Huh -- I could have sworn we had an issue on this, but now I can't
> find it. Plasma, can you file one? If you don't have time, no
> problem, just let us know so someone else can file it. Thanks!
>
> -Karl
>
> plasma <pl...@pchome.com.tw> writes:
> > I just ran into this command:
> >
> > plasma@plasmanb:~> svn log -r 9900 -v http://svn.elixus.org/repos/
> > subversion/libsvn_ra_dav/util.c:661: (apr_err=160006)
> > svn: PROPFIND request failed on '/repos/!svn/vcc/default'
> > subversion/libsvn_ra_dav/util.c:359: (apr_err=160006)
> > svn:
> > reference to non-existent revision '9900' in filesystem '/home/svnrepos/repos/db'
> >
> > And I noticed the full pathname of repository is shown. Is this a
> > good idea to reveal the full pathname of repository?
> >
There was an issue, issue #1051. You even fixed it. :-)
I'll re-open the issue with this reproduction recipe.
--ben
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Re: Showing full pathname of repo
Posted by plasma <pl...@pchome.com.tw>.
Since mbk has found the issue (#1051), I'm not going to open a new
one. :)
plasma
On Sat, Jan 24, 2004 at 09:00:42PM -0600, kfogel@collab.net wrote:
> Huh -- I could have sworn we had an issue on this, but now I can't
> find it. Plasma, can you file one? If you don't have time, no
> problem, just let us know so someone else can file it. Thanks!
>
> -Karl
>
> plasma <pl...@pchome.com.tw> writes:
> > I just ran into this command:
> >
> > plasma@plasmanb:~> svn log -r 9900 -v http://svn.elixus.org/repos/
> > subversion/libsvn_ra_dav/util.c:661: (apr_err=160006)
> > svn: PROPFIND request failed on '/repos/!svn/vcc/default'
> > subversion/libsvn_ra_dav/util.c:359: (apr_err=160006)
> > svn:
> > reference to non-existent revision '9900' in filesystem '/home/svnrepos/repos/db'
> >
> > And I noticed the full pathname of repository is shown. Is this a
> > good idea to reveal the full pathname of repository?
> >
> >
> > plasma
> >
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
> > For additional commands, e-mail: dev-help@subversion.tigris.org
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
> For additional commands, e-mail: dev-help@subversion.tigris.org
==========================================================
���k���k���}�K�O�ݹq�v
http://edm-prg.epaper.com.tw/click.php?ad_code=57497
==========================================================
PChome���~~���֤ѤѦ� \*^o^*//
http://love.pchome.com.tw/
==========================================================
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Re: Showing full pathname of repo
Posted by kf...@collab.net.
Huh -- I could have sworn we had an issue on this, but now I can't
find it. Plasma, can you file one? If you don't have time, no
problem, just let us know so someone else can file it. Thanks!
-Karl
plasma <pl...@pchome.com.tw> writes:
> I just ran into this command:
>
> plasma@plasmanb:~> svn log -r 9900 -v http://svn.elixus.org/repos/
> subversion/libsvn_ra_dav/util.c:661: (apr_err=160006)
> svn: PROPFIND request failed on '/repos/!svn/vcc/default'
> subversion/libsvn_ra_dav/util.c:359: (apr_err=160006)
> svn:
> reference to non-existent revision '9900' in filesystem '/home/svnrepos/repos/db'
>
> And I noticed the full pathname of repository is shown. Is this a
> good idea to reveal the full pathname of repository?
>
>
> plasma
>
>
> ==========================================================
> ¼ô¨k¼ô¤k°«°}§K¶O¬Ý¹q¼v
> http://edm-prg.epaper.com.tw/click.php?ad_code=57497
> ==========================================================
> PChome¥æ¤Í~~©¯ºÖ¤Ñ¤Ñ¦³ \*^o^*//
> http://love.pchome.com.tw/
> ==========================================================
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
> For additional commands, e-mail: dev-help@subversion.tigris.org
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org