On 2022-10-31 10:02:14 +0000, Daniel Shahaf wrote: > Vincent Lefevre wrote on Mon, 24 Oct 2022 13:57 +00:00: > > "svn" goes up in the directory hierarchy to look for a .svn directory. > > The issue is that it doesn't stop at filesystem and/or owner change. > > Why should the upwards scan stop at mount points? Because accessing > /home/.svn on a random machine in your lab hangs? That's insufficient > justification.
There's also a potential security issue if the owner is different, and that basically the same as below: > Why should the upwards scan stop at owner change? What's the facts of > the setup (a concrete example with relevant ownerships and permissions > specified) and what could Mallory do that he shouldn't be able to? Feel > free to reply on security@ if the matter isn't suitable for public > discussion. I don't have to do much testing at the moment, but some ideas... Mallory could set up a .svn directory he controls. So if one does "svn info", that would output a last changed author that Mallory chose. Now, does the svn client check whether there are non-printable characters in the author name? If it doesn't, this could send escape sequences to the terminal. I'm also wondering of the consequence of symlinks .svn/entries to /path-to-attacked-user/.svn/entries, etc. except for the pristine subdirectory, which Mallory creates as world-writable. If the user does a "svn up", could this populate the pristine subdirectory (owned by Mallory)? -- Vincent Lefèvre <vinc...@vinc17.net> - Web: <https://www.vinc17.net/> 100% accessible validated (X)HTML - Blog: <https://www.vinc17.net/blog/> Work: CR INRIA - computer arithmetic / AriC project (LIP, ENS-Lyon)
