svn commit: r1130303 - in /subversion/trunk/subversion: libsvn_repos/authz.c mod_dav_svn/authz.c tests/cmdline/svnsync_tests.py

Wed, 01 Jun 2011 14:09:55 -0700 

Author: hwright
Date: Wed Jun  1 21:09:22 2011
New Revision: 1130303

URL: http://svn.apache.org/viewvc?rev=1130303&view=rev
Log:
Commit the fix for CVE-2011-1921 and CVE-2011-1783.

(Hopefully somebody with a bit more knowledge than me will fill in the detailed
log message.)

* subversion/mod_dav_svn/authz.c
  (dav_svn__allow_read): Foo.

* subversion/tests/cmdline/svnsync_tests.py
  (specific_deny_authz): New test.
  (test_list): Run the new test.

* subversion/libsvn_repos/authz.c
  (svn_repos_authz_check_access): Foo.

Modified:
    subversion/trunk/subversion/libsvn_repos/authz.c
    subversion/trunk/subversion/mod_dav_svn/authz.c
    subversion/trunk/subversion/tests/cmdline/svnsync_tests.py

Modified: subversion/trunk/subversion/libsvn_repos/authz.c
URL: 
http://svn.apache.org/viewvc/subversion/trunk/subversion/libsvn_repos/authz.c?rev=1130303&r1=1130302&r2=1130303&view=diff
==============================================================================
--- subversion/trunk/subversion/libsvn_repos/authz.c (original)
+++ subversion/trunk/subversion/libsvn_repos/authz.c Wed Jun  1 21:09:22 2011
@@ -776,6 +776,9 @@ svn_repos_authz_check_access(svn_authz_t
       return SVN_NO_ERROR;
     }
 
+  /* Sanity check. */
+  SVN_ERR_ASSERT(path[0] == '/');
+
   /* Determine the granted access for the requested path. */
   path = svn_fspath__canonicalize(path, pool);
   current_path = path;

Modified: subversion/trunk/subversion/mod_dav_svn/authz.c
URL: 
http://svn.apache.org/viewvc/subversion/trunk/subversion/mod_dav_svn/authz.c?rev=1130303&r1=1130302&r2=1130303&view=diff
==============================================================================
--- subversion/trunk/subversion/mod_dav_svn/authz.c (original)
+++ subversion/trunk/subversion/mod_dav_svn/authz.c Wed Jun  1 21:09:22 2011
@@ -54,6 +54,11 @@ dav_svn__allow_read(request_rec *r,
       return TRUE;
     }
 
+  /* Sometimes we get paths that do not start with '/' and 
+     hence below uri concatenation would lead to wrong uris .*/
+  if (path && path[0] != '/')
+    path = apr_pstrcat(pool, "/", path, NULL);
+
   /* If bypass is specified and authz has exported the provider.
      Otherwise, we fall through to the full version.  This should be
      safer than allowing or disallowing all accesses if there is a

Modified: subversion/trunk/subversion/tests/cmdline/svnsync_tests.py
URL: 
http://svn.apache.org/viewvc/subversion/trunk/subversion/tests/cmdline/svnsync_tests.py?rev=1130303&r1=1130302&r2=1130303&view=diff
==============================================================================
--- subversion/trunk/subversion/tests/cmdline/svnsync_tests.py (original)
+++ subversion/trunk/subversion/tests/cmdline/svnsync_tests.py Wed Jun  1 
21:09:22 2011
@@ -870,6 +870,67 @@ def commit_a_copy_of_root(sbox):
   #Testcase for issue 3438.
   run_test(sbox, "repo-with-copy-of-root-dir.dump")
 
+
+@Skip(svntest.main.is_ra_type_file)
+def specific_deny_authz(sbox):
+  "verify if specifically denied paths dont sync"
+
+  sbox.build("specific-deny-authz")
+
+  dest_sbox = sbox.clone_dependent()
+  build_repos(dest_sbox)
+
+  svntest.actions.enable_revprop_changes(dest_sbox.repo_dir)
+
+  run_init(dest_sbox.repo_url, sbox.repo_url)
+
+  svntest.main.run_svn(None, "cp",
+                       os.path.join(sbox.wc_dir, "A"),
+                       os.path.join(sbox.wc_dir, "A_COPY")
+                       )
+  svntest.main.run_svn(None, "ci", "-mm", sbox.wc_dir)
+
+  write_restrictive_svnserve_conf(sbox.repo_dir)
+
+  # For mod_dav_svn's parent path setup we need per-repos permissions in
+  # the authz file...
+  if sbox.repo_url.startswith('http'):
+    svntest.main.file_write(sbox.authz_file,
+                            "[specific-deny-authz:/]\n"
+                            "* = r\n"
+                            "\n"
+                            "[specific-deny-authz:/A]\n"
+                            "* = \n"
+                            "\n"
+                            "[specific-deny-authz:/A_COPY/B/lambda]\n"
+                            "* = \n"
+                            "\n"
+                            "[specific-deny-authz-1:/]\n"
+                            "* = rw\n")
+  # Otherwise we can just go with the permissions needed for the source
+  # repository.
+  else:
+    svntest.main.file_write(sbox.authz_file,
+                            "[/]\n"
+                            "* = r\n"
+                            "\n"
+                            "[/A]\n"
+                            "* = \n"
+                            "\n"
+                            "[/A_COPY/B/lambda]\n"
+                            "* = \n")
+
+  run_sync(dest_sbox.repo_url)
+
+  lambda_url = dest_sbox.repo_url + '/A_COPY/B/lambda'
+
+  # this file should have been blocked by authz
+  svntest.actions.run_and_verify_svn(None,
+                                     [], svntest.verify.AnyOutput,
+                                     'cat',
+                                     lambda_url)
+
+
 # issue #3641 'svnsync fails to partially copy a repository'.
 # This currently fails because while replacements with history
 # within copies are handled, replacements without history inside
@@ -988,6 +1049,7 @@ test_list = [ None,
               identity_copy,
               delete_svn_props,
               commit_a_copy_of_root,
+              specific_deny_authz,
               descend_into_replace,
               delete_revprops,
               fd_leak_sync_from_serf_to_local,

Reply via email to