mirror of
https://git.yoctoproject.org/poky
synced 2026-05-02 18:32:15 +02:00
8f8989071a
Insufficient validation of filenames against control characters in Apache Subversion repositories served via mod_dav_svn allows authenticated users with commit access to commit a corrupted revision, leading to disruption for users of the repository. All versions of Subversion up to and including Subversion 1.14.4 are affected if serving repositories via mod_dav_svn. Users are recommended to upgrade to version 1.14.5, which fixes this issue. Repositories served via other access methods are not affected. References: https://nvd.nist.gov/vuln/detail/CVE-2024-46901 Upstream patches: https://subversion.apache.org/security/CVE-2024-46901-advisory.txt (From OE-Core rev: 16c212bd9a9e9c35256ff308da72a518c76ce11d) Signed-off-by: Jiaying Song <jiaying.song.cn@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
162 lines
6.3 KiB
Diff
162 lines
6.3 KiB
Diff
From 149e299cd7eaadc8248480300b6e13b097c5b3fa Mon Sep 17 00:00:00 2001
|
|
From: Jiaying Song <jiaying.song.cn@windriver.com>
|
|
Date: Fri, 13 Dec 2024 12:19:43 +0800
|
|
Subject: [PATCH] Fix CVE-2024-46901
|
|
|
|
It has been discovered that the patch for CVE-2013-1968 was incomplete and unintentionally left mod_dav_svn vulnerable to control characters in filenames.
|
|
|
|
Upstream-Status: Backport
|
|
[https://subversion.apache.org/security/CVE-2024-46901-advisory.txt]
|
|
|
|
CVE: CVE-2024-46901
|
|
|
|
Signed-off-by: Jiaying Song <jiaying.song.cn@windriver.com>
|
|
---
|
|
.../include/private/svn_repos_private.h | 8 +++++
|
|
subversion/libsvn_repos/commit.c | 3 +-
|
|
subversion/libsvn_repos/repos.c | 10 +++++++
|
|
subversion/mod_dav_svn/lock.c | 7 +++++
|
|
subversion/mod_dav_svn/repos.c | 29 +++++++++++++++++++
|
|
5 files changed, 55 insertions(+), 2 deletions(-)
|
|
|
|
diff --git a/subversion/include/private/svn_repos_private.h b/subversion/include/private/svn_repos_private.h
|
|
index 1fd34e8..1d5fc9c 100644
|
|
--- a/subversion/include/private/svn_repos_private.h
|
|
+++ b/subversion/include/private/svn_repos_private.h
|
|
@@ -390,6 +390,14 @@ svn_repos__get_dump_editor(const svn_delta_editor_t **editor,
|
|
const char *update_anchor_relpath,
|
|
apr_pool_t *pool);
|
|
|
|
+/* Validate that the given PATH is a valid pathname that can be stored in
|
|
+ * a Subversion repository, according to the name constraints used by the
|
|
+ * svn_repos_* layer.
|
|
+ */
|
|
+svn_error_t *
|
|
+svn_repos__validate_new_path(const char *path,
|
|
+ apr_pool_t *scratch_pool);
|
|
+
|
|
#ifdef __cplusplus
|
|
}
|
|
#endif /* __cplusplus */
|
|
diff --git a/subversion/libsvn_repos/commit.c b/subversion/libsvn_repos/commit.c
|
|
index 515600d..aad37ee 100644
|
|
--- a/subversion/libsvn_repos/commit.c
|
|
+++ b/subversion/libsvn_repos/commit.c
|
|
@@ -308,8 +308,7 @@ add_file_or_directory(const char *path,
|
|
svn_boolean_t was_copied = FALSE;
|
|
const char *full_path, *canonicalized_path;
|
|
|
|
- /* Reject paths which contain control characters (related to issue #4340). */
|
|
- SVN_ERR(svn_path_check_valid(path, pool));
|
|
+ SVN_ERR(svn_repos__validate_new_path(path, pool));
|
|
|
|
SVN_ERR(svn_relpath_canonicalize_safe(&canonicalized_path, NULL, path,
|
|
pool, pool));
|
|
diff --git a/subversion/libsvn_repos/repos.c b/subversion/libsvn_repos/repos.c
|
|
index 2189de8..119f04b 100644
|
|
--- a/subversion/libsvn_repos/repos.c
|
|
+++ b/subversion/libsvn_repos/repos.c
|
|
@@ -2092,3 +2092,13 @@ svn_repos__fs_type(const char **fs_type,
|
|
svn_dirent_join(repos_path, SVN_REPOS__DB_DIR, pool),
|
|
pool);
|
|
}
|
|
+
|
|
+svn_error_t *
|
|
+svn_repos__validate_new_path(const char *path,
|
|
+ apr_pool_t *scratch_pool)
|
|
+{
|
|
+ /* Reject paths which contain control characters (related to issue #4340). */
|
|
+ SVN_ERR(svn_path_check_valid(path, scratch_pool));
|
|
+
|
|
+ return SVN_NO_ERROR;
|
|
+}
|
|
diff --git a/subversion/mod_dav_svn/lock.c b/subversion/mod_dav_svn/lock.c
|
|
index 7e9c94b..d2a6aa9 100644
|
|
--- a/subversion/mod_dav_svn/lock.c
|
|
+++ b/subversion/mod_dav_svn/lock.c
|
|
@@ -36,6 +36,7 @@
|
|
#include "svn_pools.h"
|
|
#include "svn_props.h"
|
|
#include "private/svn_log.h"
|
|
+#include "private/svn_repos_private.h"
|
|
|
|
#include "dav_svn.h"
|
|
|
|
@@ -717,6 +718,12 @@ append_locks(dav_lockdb *lockdb,
|
|
|
|
/* Commit a 0-byte file: */
|
|
|
|
+ if ((serr = svn_repos__validate_new_path(resource->info->repos_path,
|
|
+ resource->pool)))
|
|
+ return dav_svn__convert_err(serr, HTTP_BAD_REQUEST,
|
|
+ "Request specifies an invalid path.",
|
|
+ resource->pool);
|
|
+
|
|
if ((serr = dav_svn__get_youngest_rev(&rev, repos, resource->pool)))
|
|
return dav_svn__convert_err(serr, HTTP_INTERNAL_SERVER_ERROR,
|
|
"Could not determine youngest revision",
|
|
diff --git a/subversion/mod_dav_svn/repos.c b/subversion/mod_dav_svn/repos.c
|
|
index 8cbd5e7..778ae9b 100644
|
|
--- a/subversion/mod_dav_svn/repos.c
|
|
+++ b/subversion/mod_dav_svn/repos.c
|
|
@@ -2928,6 +2928,15 @@ open_stream(const dav_resource *resource,
|
|
|
|
if (kind == svn_node_none) /* No existing file. */
|
|
{
|
|
+ serr = svn_repos__validate_new_path(resource->info->repos_path,
|
|
+ resource->pool);
|
|
+
|
|
+ if (serr != NULL)
|
|
+ {
|
|
+ return dav_svn__convert_err(serr, HTTP_BAD_REQUEST,
|
|
+ "Request specifies an invalid path.",
|
|
+ resource->pool);
|
|
+ }
|
|
serr = svn_fs_make_file(resource->info->root.root,
|
|
resource->info->repos_path,
|
|
resource->pool);
|
|
@@ -4120,6 +4129,14 @@ create_collection(dav_resource *resource)
|
|
return err;
|
|
}
|
|
|
|
+ if ((serr = svn_repos__validate_new_path(resource->info->repos_path,
|
|
+ resource->pool)) != NULL)
|
|
+ {
|
|
+ return dav_svn__convert_err(serr, HTTP_BAD_REQUEST,
|
|
+ "Request specifies an invalid path.",
|
|
+ resource->pool);
|
|
+ }
|
|
+
|
|
if ((serr = svn_fs_make_dir(resource->info->root.root,
|
|
resource->info->repos_path,
|
|
resource->pool)) != NULL)
|
|
@@ -4193,6 +4210,12 @@ copy_resource(const dav_resource *src,
|
|
if (err)
|
|
return err;
|
|
}
|
|
+
|
|
+ serr = svn_repos__validate_new_path(dst->info->repos_path, dst->pool);
|
|
+ if (serr)
|
|
+ return dav_svn__convert_err(serr, HTTP_BAD_REQUEST,
|
|
+ "Request specifies an invalid path.",
|
|
+ dst->pool);
|
|
|
|
src_repos_path = svn_repos_path(src->info->repos->repos, src->pool);
|
|
dst_repos_path = svn_repos_path(dst->info->repos->repos, dst->pool);
|
|
@@ -4430,6 +4453,12 @@ move_resource(dav_resource *src,
|
|
if (err)
|
|
return err;
|
|
|
|
+ serr = svn_repos__validate_new_path(dst->info->repos_path, dst->pool);
|
|
+ if (serr)
|
|
+ return dav_svn__convert_err(serr, HTTP_BAD_REQUEST,
|
|
+ "Request specifies an invalid path.",
|
|
+ dst->pool);
|
|
+
|
|
/* Copy the src to the dst. */
|
|
serr = svn_fs_copy(src->info->root.root, /* the root object of src rev*/
|
|
src->info->repos_path, /* the relative path of src */
|
|
--
|
|
2.25.1
|
|
|