powerel7
/
base
2
0
Fork 0
Code Issues Pull Requests Releases Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
1016 Commits
1 Branch
0 Tags
390 MiB
 
 
 
 
 
 
Tree: 2cda77266d
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '2cda77266d'
${ noResults }
base/SOURCES/subversion-1.7.14-CVE-2017-...

104 lines
3.7 KiB
Raw Blame History

Index: subversion/libsvn_ra_svn/client.c
===================================================================
--- subversion/libsvn_ra_svn/client.c (revision 1803926)
+++ subversion/libsvn_ra_svn/client.c (working copy)
@@ -46,6 +46,7 @@
#include "svn_props.h"
#include "svn_mergeinfo.h"
#include "svn_version.h"
+#include "svn_ctype.h"
#include "svn_private_config.h"
@@ -395,7 +396,7 @@
* versions have it too. If the user is using some other ssh
* implementation that doesn't accept it, they can override it
* in the [tunnels] section of the config. */
- val = "$SVN_SSH ssh -q";
+ val = "$SVN_SSH ssh -q --";
}
if (!val || !*val)
@@ -435,7 +436,7 @@
;
*argv = apr_palloc(pool, (n + 4) * sizeof(char *));
memcpy((void *) *argv, cmd_argv, n * sizeof(char *));
- (*argv)[n++] = svn_path_uri_decode(hostinfo, pool);
+ (*argv)[n++] = hostinfo;
(*argv)[n++] = "svnserve";
(*argv)[n++] = "-t";
(*argv)[n] = NULL;
@@ -716,7 +717,33 @@
}
+/* A simple whitelist to ensure the following are valid:
+ * user@server
+ * [::1]:22
+ * server-name
+ * server_name
+ * 127.0.0.1
+ * with an extra restriction that a leading '-' is invalid.
+ */
+static svn_boolean_t
+is_valid_hostinfo(const char *hostinfo)
+{
+ const char *p = hostinfo;
+ if (p[0] == '-')
+ return FALSE;
+
+ while (*p)
+ {
+ if (!svn_ctype_isalnum(*p) && !strchr(":.-_[]@", *p))
+ return FALSE;
+
+ ++p;
+ }
+
+ return TRUE;
+}
+
static svn_error_t *ra_svn_open(svn_ra_session_t *session,
const char **corrected_url,
const char *url,
@@ -740,8 +767,17 @@
parse_tunnel(url, &tunnel, pool);
if (tunnel)
- SVN_ERR(find_tunnel_agent(tunnel, uri.hostinfo, &tunnel_argv, config,
- pool));
+ {
+ const char *decoded_hostinfo;
+
+ decoded_hostinfo = svn_path_uri_decode(uri.hostinfo, pool);
+ if (!is_valid_hostinfo(decoded_hostinfo))
+ return svn_error_createf(SVN_ERR_BAD_URL, NULL, _("Invalid host '%s'"),
+ uri.hostinfo);
+
+ SVN_ERR(find_tunnel_agent(tunnel, decoded_hostinfo, &tunnel_argv,
+ config, pool));
+ }
else
tunnel_argv = NULL;
Index: subversion/libsvn_subr/config_file.c
===================================================================
--- subversion/libsvn_subr/config_file.c (revision 1803926)
+++ subversion/libsvn_subr/config_file.c (working copy)
@@ -1134,12 +1134,12 @@
"### passed to the tunnel agent as <user>@<hostname>.) If the" NL
"### built-in ssh scheme were not predefined, it could be defined" NL
"### as:" NL
- "# ssh = $SVN_SSH ssh -q" NL
+ "# ssh = $SVN_SSH ssh -q --" NL
"### If you wanted to define a new 'rsh' scheme, to be used with" NL
"### 'svn+rsh:' URLs, you could do so as follows:" NL
- "# rsh = rsh" NL
+ "# rsh = rsh --" NL
"### Or, if you wanted to specify a full path and arguments:" NL
- "# rsh = /path/to/rsh -l myusername" NL
+ "# rsh = /path/to/rsh -l myusername --" NL
"### On Windows, if you are specifying a full path to a command," NL
"### use a forward slash (/) or a paired backslash (\\\\) as the" NL
"### path separator. A single backslash will be treated as an" NL