On Tue, Jul 17, 2012 at 2:14 PM, Philip Martin <philip.mar...@wandisco.com> wrote: > > phi...@apache.org writes: > > > Author: philip > > Date: Tue Jul 17 10:12:20 2012 > > New Revision: 1362434 > > > > URL: http://svn.apache.org/viewvc?rev=1362434&view=rev > > Log: > > Allow third party FS modules to be loaded when configured > > with --enable-runtime-module-search. > > Until now anyone wanting to write an FS module had a problem: only > modules known to the Subversion project could be loaded and used. > That means that anyone wanting to write their own module had to get a > patch for their module name into the core Subversion code. Or write > their own loader/server. > > I don't think there is any security risk here: I need to write to the > repository fs-type file to get a malicious module to load and if I can > do that it would be far easier to use one of the hook scripts. > It still possible security issue here. Just image that repository is stored on network share or something. Someone tweaked fs-type and put fake .dll in repository folder. Then another user accesses this repository and gets this dll loaded on his behalf!
To prevent such issues we should valdiate fs-type to be only file name with only alphanumeric characters. No dots, spaces or slashes. We also should only load DSO module from directory where Subversion installed for better protection. -- Ivan Zhakov