Ivan Zhakov <i...@visualsvn.com> writes: > On Tue, Jul 17, 2012 at 2:14 PM, Philip Martin > <philip.mar...@wandisco.com> wrote: >> >> phi...@apache.org writes: >> >> > Author: philip >> > Date: Tue Jul 17 10:12:20 2012 >> > New Revision: 1362434 >> > >> > URL: http://svn.apache.org/viewvc?rev=1362434&view=rev >> > Log: >> > Allow third party FS modules to be loaded when configured >> > with --enable-runtime-module-search. >> >> Until now anyone wanting to write an FS module had a problem: only >> modules known to the Subversion project could be loaded and used. >> That means that anyone wanting to write their own module had to get a >> patch for their module name into the core Subversion code. Or write >> their own loader/server. >> >> I don't think there is any security risk here: I need to write to the >> repository fs-type file to get a malicious module to load and if I can >> do that it would be far easier to use one of the hook scripts. >> > It still possible security issue here. Just image that repository is > stored on network share or something. Someone tweaked fs-type and put > fake .dll in repository folder. Then another user accesses this > repository and gets this dll loaded on his behalf!
To get a DSO loaded it has to go into the library search path. If the victim has a world writeable location in the search path the attacker could replace any DSO. > To prevent such issues we should valdiate fs-type to be only file name > with only alphanumeric characters. No dots, spaces or slashes. We also > should only load DSO module from directory where Subversion installed > for better protection. That's a good idea. r1362480. -- Cerified & Supported Apache Subversion Downloads: http://www.wandisco.com/subversion/download
