On Fri, Jul 10, 2026 at 6:31 PM Jordan Peck <[email protected]> wrote:

> First off this is the list of things I've found that break due to the 3445
> issue:
> - File content via commit containing the slave url would silently get
> rewritten to the master url if their paths were the same length. If the
> path
> length differs the commit would instead fail.
> - Property edits would also silently rewrite a slave url to master
> - Commit log messages containing the slave url would cause the commit
> to fail.
> - Lock comments get a slave URL silently rewritten, and also translated
> back when reading it through the proxy. So you need to read from the
> master to see the corruption.
>

If you have access to the Jira instance, it would be awesome to have this
list ^ recorded as part of SVN-3445!


> Not 3445 related but I also found that some of the proxy code treated the
> <Location> path as decoded when it's not. So if it contained an escapable
> character none of the path rewriting took place and most requests would
> fail
> when reaching the master server.
>
> Then I also found a non-proxy bug with the new tests, any mod_dav_svn
> repository whose <Location> contains an escapable character will fail
> commits with an http 400 code, no proxy involved. I found the cause, 3
> callers
> of get_resource() passed an encoded path when it expected a decoded
> one. You can see my fix for this in r1936013.
>

Would it make sense to address these two categories of fixes separately
(and get them reviewed and potentially merged ASAP)?  I'd hate for
Subversion to miss out on what I suspect are some relatively
straightforward and non-controversial improvements because they are
intertwingled with some of the more complex and nuanced changes you
describe below.


> For the initial 3445 related fixes I committed the patch proposed in my
> previous email (r1936010), this fixed the worst of the issues such as the
> file content munging and property edit munging. Then with the follow up
> fixes
> (r1936015 & r1936031) I added a whitelist to the response filtering and
> converted the blacklist for requests (added in the initial fix) into a
> whitelist too.
> I decided that having the filters whitelist based on method type instead
> of
> blacklist was preferable for a couple reasons:
> - There are only 2 method types that actually need filtering in each path,
> a blacklist would need to contain 4~
> - If a method that requires a path rewrite isn't in the whitelist, it will
> fail loudly
> when proxied to the master. A blacklist with the opposite case will
> potentially be silently munging data.
>

(I'd need to look at these changes to make sense of the above, but am not
in a good spot to do so.  Will try to do so later.)


> My most recent commit r1936032 added many new proxy tests in
> dav-mirror-autocheck.sh that I've been using to discover all these issues.
> It now uses master/slave locations with spaces to test URI-encoding and
> full coverage of every operation that can pass through the proxy.


This also feels like a great contribution to the trunk/ ASAP, even if the
tests are marked as expected failures.


> There is also coverage of the one remaining edge case bug, which is
> property values containing the master url are rewritten inside proxied
> PROPFIND responses on a transaction in progress (/!svn/txr/). It doesn't
> affect regular PROPFINDs because these are served by the slave locally
> and not proxied to the master. The test for this is also somewhat
> convoluted
> because there are no SVN operations that leave an open transaction in
> progress, so a raw curl POST is used to set this up. The PROPFIND to
> retrieve a property on this is then what triggers the master URL munging,
> this also has to be via curl since no SVN op triggers a PROPFIND on a
> transaction in progress. So you could consider this remaining edge case a
> complete non-issue.
>

Hrm, I'd say it's not a "complete non-issue" merely because Subversion
clients might not trigger a particular codepath.  For example, mod_dav_svn
tries to implement the WebDAV specification even though Subversion clients
don't speak that protocol.  So if you can make something blow up using a
series of curl commands, it's still a bug ... though admittedly perhaps one
with a small blast radius.

This has all been a much larger rabbit hole than I expected when I first
> started looking into the 3445 issue.


I'm so sorry.  😂  But hopefully now you can see why I was so hesitant to
just +1 your original patch.  I *knew* there was some rot under the
floorboards ... it just took me a while to put my finger on where it was.

-- Mike

Reply via email to