On 2020-01-23 18:40:56 +0000, Daniel Shahaf wrote: > Vincent Lefevre wrote on Thu, 23 Jan 2020 15:50 +0100: > > On 2020-01-23 12:44:02 +0100, Joerg Wunsch wrote: > > > If the automounter already yields ENOENT for the ../.svn directory > > > probe, everything is not going to be a problem. I think the point here > > > is the automounter (eventually, after "thinking" about it for about 1 > > > s) offers a successful stat() result for ../.svn (probably because > > > that directory *might be* a possible mount point for the automounter) > > > but then yields EIO when trying to access anything within that > > > ficticous directory (because nothing is actually mounted there). > > > > Do you mean that Subversion tries to go higher in the hierarchy > > without checking the owner of the directory? If it does, this is > > a security issue. > > How so? What's the attacker model? What can someone leverage this > feature of Subversion to do that they couldn't do without it?
I don't know all the various possibilities, but there's at least a denial of service: zira:/tmp> mkdir vinc17 zira:/tmp> cd vinc17 zira:/tmp/vinc17> svn co file:///home/vinc17/repos wc svn: E200030: sqlite[S1]: no such table: wcroot zira:/tmp/vinc17[1]> That's with an attacker who creates a .svn directory in /tmp and an empty wc.db file in it. On systems without symlink restriction in world-writable directories, I was wondering whether there could be a way to create files in the user's home directory. My attempt yielded a sqlite error because O_NOFOLLOW was used, which is a good thing. But I'm also wondering whether there could be some leak in wc.db in case the user does a "svn up" from a wrong directory (such as /tmp/vinc17 above, with an attacker creating a .svn directory in /tmp with a URL of a private repository belonging to the user). A small error like this should never become a security issue. -- Vincent Lefèvre <vinc...@vinc17.net> - Web: <https://www.vinc17.net/> 100% accessible validated (X)HTML - Blog: <https://www.vinc17.net/blog/> Work: CR INRIA - computer arithmetic / AriC project (LIP, ENS-Lyon)