[email protected] wrote on Wed, Jun 01, 2011 at 21:09:23 -0000: > Author: hwright > Date: Wed Jun 1 21:09:22 2011 > New Revision: 1130303 > > URL: http://svn.apache.org/viewvc?rev=1130303&view=rev > Log: > Commit the fix for CVE-2011-1921 and CVE-2011-1783. > > (Hopefully somebody with a bit more knowledge than me will fill in the > detailed > log message.) > > * subversion/mod_dav_svn/authz.c > (dav_svn__allow_read): Foo. >
Ahem.... ping? > * subversion/tests/cmdline/svnsync_tests.py > (specific_deny_authz): New test. > (test_list): Run the new test. > > * subversion/libsvn_repos/authz.c > (svn_repos_authz_check_access): Foo. > And here. > Modified: > subversion/trunk/subversion/libsvn_repos/authz.c > subversion/trunk/subversion/mod_dav_svn/authz.c > subversion/trunk/subversion/tests/cmdline/svnsync_tests.py > > Modified: subversion/trunk/subversion/libsvn_repos/authz.c > URL: > http://svn.apache.org/viewvc/subversion/trunk/subversion/libsvn_repos/authz.c?rev=1130303&r1=1130302&r2=1130303&view=diff > ============================================================================== > --- subversion/trunk/subversion/libsvn_repos/authz.c (original) > +++ subversion/trunk/subversion/libsvn_repos/authz.c Wed Jun 1 21:09:22 2011 > @@ -776,6 +776,9 @@ svn_repos_authz_check_access(svn_authz_t > return SVN_NO_ERROR; > } > > + /* Sanity check. */ > + SVN_ERR_ASSERT(path[0] == '/'); > + > /* Determine the granted access for the requested path. */ > path = svn_fspath__canonicalize(path, pool); > current_path = path; > > Modified: subversion/trunk/subversion/mod_dav_svn/authz.c > URL: > http://svn.apache.org/viewvc/subversion/trunk/subversion/mod_dav_svn/authz.c?rev=1130303&r1=1130302&r2=1130303&view=diff > ============================================================================== > --- subversion/trunk/subversion/mod_dav_svn/authz.c (original) > +++ subversion/trunk/subversion/mod_dav_svn/authz.c Wed Jun 1 21:09:22 2011 > @@ -54,6 +54,11 @@ dav_svn__allow_read(request_rec *r, > return TRUE; > } > > + /* Sometimes we get paths that do not start with '/' and > + hence below uri concatenation would lead to wrong uris .*/ > + if (path && path[0] != '/') > + path = apr_pstrcat(pool, "/", path, NULL); > + > /* If bypass is specified and authz has exported the provider. > Otherwise, we fall through to the full version. This should be > safer than allowing or disallowing all accesses if there is a > > Modified: subversion/trunk/subversion/tests/cmdline/svnsync_tests.py > URL: > http://svn.apache.org/viewvc/subversion/trunk/subversion/tests/cmdline/svnsync_tests.py?rev=1130303&r1=1130302&r2=1130303&view=diff > ============================================================================== > --- subversion/trunk/subversion/tests/cmdline/svnsync_tests.py (original) > +++ subversion/trunk/subversion/tests/cmdline/svnsync_tests.py Wed Jun 1 > 21:09:22 2011 > @@ -870,6 +870,67 @@ def commit_a_copy_of_root(sbox): > #Testcase for issue 3438. > run_test(sbox, "repo-with-copy-of-root-dir.dump") > > + > +@Skip(svntest.main.is_ra_type_file) > +def specific_deny_authz(sbox): > + "verify if specifically denied paths dont sync" > + > + sbox.build("specific-deny-authz") > + > + dest_sbox = sbox.clone_dependent() > + build_repos(dest_sbox) > + > + svntest.actions.enable_revprop_changes(dest_sbox.repo_dir) > + > + run_init(dest_sbox.repo_url, sbox.repo_url) > + > + svntest.main.run_svn(None, "cp", > + os.path.join(sbox.wc_dir, "A"), > + os.path.join(sbox.wc_dir, "A_COPY") > + ) > + svntest.main.run_svn(None, "ci", "-mm", sbox.wc_dir) > + > + write_restrictive_svnserve_conf(sbox.repo_dir) > + > + # For mod_dav_svn's parent path setup we need per-repos permissions in > + # the authz file... > + if sbox.repo_url.startswith('http'): > + svntest.main.file_write(sbox.authz_file, > + "[specific-deny-authz:/]\n" > + "* = r\n" > + "\n" > + "[specific-deny-authz:/A]\n" > + "* = \n" > + "\n" > + "[specific-deny-authz:/A_COPY/B/lambda]\n" > + "* = \n" > + "\n" > + "[specific-deny-authz-1:/]\n" > + "* = rw\n") > + # Otherwise we can just go with the permissions needed for the source > + # repository. > + else: > + svntest.main.file_write(sbox.authz_file, > + "[/]\n" > + "* = r\n" > + "\n" > + "[/A]\n" > + "* = \n" > + "\n" > + "[/A_COPY/B/lambda]\n" > + "* = \n") > + > + run_sync(dest_sbox.repo_url) > + > + lambda_url = dest_sbox.repo_url + '/A_COPY/B/lambda' > + > + # this file should have been blocked by authz > + svntest.actions.run_and_verify_svn(None, > + [], svntest.verify.AnyOutput, > + 'cat', > + lambda_url) > + > + > # issue #3641 'svnsync fails to partially copy a repository'. > # This currently fails because while replacements with history > # within copies are handled, replacements without history inside > @@ -988,6 +1049,7 @@ test_list = [ None, > identity_copy, > delete_svn_props, > commit_a_copy_of_root, > + specific_deny_authz, > descend_into_replace, > delete_revprops, > fd_leak_sync_from_serf_to_local, > >
