mod_dontdothat does not inhibit XML entity expansion

2016-04-23 Thread Florian Weimer
It seems that mod_dontdothat creates an Expat XML parser without inhibiting XML entity expansion for the internal DTD subset. This might cause a denial-of-service issue when parsing client-submitted XML. There are other pieces of code in Subversion which also create Expat parsers this way, but th

Re: mod_dontdothat does not inhibit XML entity expansion

2016-04-23 Thread Stefan Sperling
On Sat, Apr 23, 2016 at 05:55:23PM +0200, Florian Weimer wrote: > It seems that mod_dontdothat creates an Expat XML parser without > inhibiting XML entity expansion for the internal DTD subset. This > might cause a denial-of-service issue when parsing client-submitted > XML. > > There are other p

Re: mod_dontdothat does not inhibit XML entity expansion

2016-04-23 Thread Florian Weimer
* Stefan Sperling: > On Sat, Apr 23, 2016 at 05:55:23PM +0200, Florian Weimer wrote: >> It seems that mod_dontdothat creates an Expat XML parser without >> inhibiting XML entity expansion for the internal DTD subset. This >> might cause a denial-of-service issue when parsing client-submitted >> X

Modifying transaction properties (svnadmin setrevprop)

2016-04-23 Thread Ryan J Ollos
For a long time I've known the rule "don't modify a transaction in a pre-commit hook", documented in (1) and recently repeated in (2). I was therefore surprised to read about the "svnadmin setrevprop" command (3) in 1.9, and to see an example of modifying transaction properties in the hook-scripts

Re: Modifying transaction properties (svnadmin setrevprop)

2016-04-23 Thread Daniel Shahaf
Ryan J Ollos wrote on Sat, Apr 23, 2016 at 14:23:37 -0700: > For a long time I've known the rule "don't modify a transaction in a > pre-commit hook", documented in (1) and recently repeated in (2). > > I was therefore surprised to read about the "svnadmin setrevprop" command > (3) in 1.9, and to s

Re: mod_dontdothat does not inhibit XML entity expansion

2016-04-23 Thread Daniel Shahaf
Stefan Sperling wrote on Sat, Apr 23, 2016 at 18:31:39 +0200: > On Sat, Apr 23, 2016 at 05:55:23PM +0200, Florian Weimer wrote: > > It seems that mod_dontdothat creates an Expat XML parser without > > inhibiting XML entity expansion for the internal DTD subset. This > > might cause a denial-of-ser

Re: Modifying transaction properties (svnadmin setrevprop)

2016-04-23 Thread Daniel Shahaf
Daniel Shahaf wrote on Sat, Apr 23, 2016 at 21:48:38 +: > Ryan J Ollos wrote on Sat, Apr 23, 2016 at 14:23:37 -0700: > > For a long time I've known the rule "don't modify a transaction in a > > pre-commit hook", documented in (1) and recently repeated in (2). > > > > I was therefore surprised

Re: Modifying transaction properties (svnadmin setrevprop)

2016-04-23 Thread Ryan J Ollos
On Sat, Apr 23, 2016 at 3:19 PM, Daniel Shahaf wrote: > Daniel Shahaf wrote on Sat, Apr 23, 2016 at 21:48:38 +: > > Ryan J Ollos wrote on Sat, Apr 23, 2016 at 14:23:37 -0700: > > > For a long time I've known the rule "don't modify a transaction in a > > > pre-commit hook", documented in (1) a