svn commit: r1873375 - /subversion/trunk/subversion/libsvn_ra_serf/options.c

Thu, 30 Jan 2020 11:15:18 -0800 

Author: stsp
Date: Thu Jan 30 19:14:49 2020
New Revision: 1873375

URL: http://svn.apache.org/viewvc?rev=1873375&view=rev
Log:
Canonicalize redirect URLs in ra_serf, rather than using them as-is.
This prevents an assertion failure in the client if the server sends
a redirect to a non-canonical URL.

If Apache HTTPD uses a redirect statement such as this:
 Redirect permanent "/svn" https://svn.example.com/svn/
then the redirect URL won't be canonical. For example, access to the path
"/svn/trunk" will be redirected to https://svn.example.com/svn//trunk

Note the double-slash which eventually triggers an assertion failure when
the redirect URL gets checked at an API boundary outside of ra_serf.

* subversion/libsvn_ra_serf/options.c
  (svn_ra_serf__exchange_capabilities): Treat redirect URLs as untrusted
   input and attempt to canonicalize them.

Modified:
    subversion/trunk/subversion/libsvn_ra_serf/options.c

Modified: subversion/trunk/subversion/libsvn_ra_serf/options.c
URL: 
http://svn.apache.org/viewvc/subversion/trunk/subversion/libsvn_ra_serf/options.c?rev=1873375&r1=1873374&r2=1873375&view=diff
==============================================================================
--- subversion/trunk/subversion/libsvn_ra_serf/options.c (original)
+++ subversion/trunk/subversion/libsvn_ra_serf/options.c Thu Jan 30 19:14:49 
2020
@@ -575,7 +575,8 @@ svn_ra_serf__exchange_capabilities(svn_r
         }
       else if (svn_path_is_url(opt_ctx->handler->location))
         {
-          *corrected_url = apr_pstrdup(result_pool, 
opt_ctx->handler->location);
+          SVN_ERR(svn_uri_canonicalize_safe(corrected_url, NULL,
+              opt_ctx->handler->location, result_pool, scratch_pool));
         }
       else
         {
@@ -586,9 +587,12 @@ svn_ra_serf__exchange_capabilities(svn_r
              See issue #3775 for details. */
 
           apr_uri_t corrected_URI = serf_sess->session_url;
+          char *absolute_uri;
 
           corrected_URI.path = (char *)corrected_url;
-          *corrected_url = apr_uri_unparse(result_pool, &corrected_URI, 0);
+          absolute_uri = apr_uri_unparse(scratch_pool, &corrected_URI, 0);
+          SVN_ERR(svn_uri_canonicalize_safe(corrected_url, NULL,
+              absolute_uri, result_pool, scratch_pool));
         }
 
       return SVN_NO_ERROR;

Reply via email to