Author: svn-role
Date: Tue Apr 14 04:00:46 2015
New Revision: 1673350
URL: http://svn.apache.org/r1673350
Log:
Merge r1667235 from trunk:
* r1667235
Reject invalid transaction property change requests in mod_dav_svn.
Justification:
Security issue.
Votes:
+1: kotkov, rhuijben, philip
Modified:
subversion/branches/1.9.x/ (props changed)
subversion/branches/1.9.x/STATUS
subversion/branches/1.9.x/subversion/mod_dav_svn/deadprops.c
Propchange: subversion/branches/1.9.x/
------------------------------------------------------------------------------
--- svn:mergeinfo (original)
+++ svn:mergeinfo Tue Apr 14 04:00:46 2015
@@ -89,4 +89,4 @@
/subversion/branches/verify-at-commit:1462039-1462408
/subversion/branches/verify-keep-going:1439280-1546110
/subversion/branches/wc-collate-path:1402685-1480384
-/subversion/trunk:1660545-1660547,1660549-1662901,1663003,1663183-1663184,1663338,1663347,1663355,1663374,1663450,1663697,1663706,1663738,1663749,1663791,1664078,1664080,1664084-1664085,1664187,1664191,1664193,1664200,1664344,1664476,1664480-1664481,1664483,1664489-1664490,1664507,1664520-1664521,1664523,1664526-1664527,1664531-1664532,1664588,1664653,1664684,1664927,1664938-1664940,1664978,1664984,1664997,1665164,1665195,1665318,1665437-1665438,1665611-1665612,1665845,1665850,1665852,1665886,1665894,1665896,1666096,1666270,1666272,1666379,1666449,1666690,1666851,1667101,1667106-1667107,1667941,1667976,1668598,1668600,1668602-1668603,1668618,1669749,1670139,1670149,1670152,1670329,1670347,1670353,1671388,1672511-1672512,1672728
+/subversion/trunk:1660545-1660547,1660549-1662901,1663003,1663183-1663184,1663338,1663347,1663355,1663374,1663450,1663697,1663706,1663738,1663749,1663791,1664078,1664080,1664084-1664085,1664187,1664191,1664193,1664200,1664344,1664476,1664480-1664481,1664483,1664489-1664490,1664507,1664520-1664521,1664523,1664526-1664527,1664531-1664532,1664588,1664653,1664684,1664927,1664938-1664940,1664978,1664984,1664997,1665164,1665195,1665318,1665437-1665438,1665611-1665612,1665845,1665850,1665852,1665886,1665894,1665896,1666096,1666270,1666272,1666379,1666449,1666690,1666851,1667101,1667106-1667107,1667235,1667941,1667976,1668598,1668600,1668602-1668603,1668618,1669749,1670139,1670149,1670152,1670329,1670347,1670353,1671388,1672511-1672512,1672728
Modified: subversion/branches/1.9.x/STATUS
URL:
http://svn.apache.org/viewvc/subversion/branches/1.9.x/STATUS?rev=1673350&r1=1673349&r2=1673350&view=diff
==============================================================================
--- subversion/branches/1.9.x/STATUS (original)
+++ subversion/branches/1.9.x/STATUS Tue Apr 14 04:00:46 2015
@@ -330,10 +330,3 @@ Veto-blocked changes:
Approved changes:
=================
-
- * r1667235
- Reject invalid transaction property change requests in mod_dav_svn.
- Justification:
- Security issue.
- Votes:
- +1: kotkov, rhuijben, philip
Modified: subversion/branches/1.9.x/subversion/mod_dav_svn/deadprops.c
URL:
http://svn.apache.org/viewvc/subversion/branches/1.9.x/subversion/mod_dav_svn/deadprops.c?rev=1673350&r1=1673349&r2=1673350&view=diff
==============================================================================
--- subversion/branches/1.9.x/subversion/mod_dav_svn/deadprops.c (original)
+++ subversion/branches/1.9.x/subversion/mod_dav_svn/deadprops.c Tue Apr 14
04:00:46 2015
@@ -163,6 +163,23 @@ get_value(dav_db *db, const dav_prop_nam
}
+static svn_error_t *
+change_txn_prop(svn_fs_txn_t *txn,
+ const char *propname,
+ const svn_string_t *value,
+ apr_pool_t *scratch_pool)
+{
+ if (strcmp(propname, SVN_PROP_REVISION_AUTHOR) == 0)
+ return svn_error_create(SVN_ERR_RA_DAV_REQUEST_FAILED, NULL,
+ "Attempted to modify 'svn:author' property "
+ "on a transaction");
+
+ SVN_ERR(svn_repos_fs_change_txn_prop(txn, propname, value, scratch_pool));
+
+ return SVN_NO_ERROR;
+}
+
+
static dav_error *
save_value(dav_db *db, const dav_prop_name *name,
const svn_string_t *const *old_value_p,
@@ -213,9 +230,8 @@ save_value(dav_db *db, const dav_prop_na
{
if (resource->working)
{
- serr = svn_repos_fs_change_txn_prop(resource->info->root.txn,
- propname, value,
- subpool);
+ serr = change_txn_prop(resource->info->root.txn, propname,
+ value, subpool);
}
else
{
@@ -254,8 +270,8 @@ save_value(dav_db *db, const dav_prop_na
}
else if (resource->info->restype == DAV_SVN_RESTYPE_TXN_COLLECTION)
{
- serr = svn_repos_fs_change_txn_prop(resource->info->root.txn,
- propname, value, subpool);
+ serr = change_txn_prop(resource->info->root.txn, propname,
+ value, subpool);
}
else
{
@@ -560,8 +576,8 @@ db_remove(dav_db *db, const dav_prop_nam
/* Working Baseline or Working (Version) Resource */
if (db->resource->baselined)
if (db->resource->working)
- serr = svn_repos_fs_change_txn_prop(db->resource->info->root.txn,
- propname, NULL, subpool);
+ serr = change_txn_prop(db->resource->info->root.txn, propname,
+ NULL, subpool);
else
/* ### VIOLATING deltaV: you can't proppatch a baseline, it's
not a working resource! But this is how we currently
