1
Description: Fix CVE-2013-1968
2
Subversion FSFS repositories can be corrupted by newline characters in
4
Origin: upstream, http://subversion.apache.org/security/CVE-2013-1968-advisory.txt
5
Bug-Debian: http://bugs.debian.org/711033
7
Author: Salvatore Bonaccorso <carnil@debian.org>
8
Last-Update: 2013-06-06
10
--- a/subversion/libsvn_fs_fs/tree.c
11
+++ b/subversion/libsvn_fs_fs/tree.c
13
#include "svn_private_config.h"
14
#include "svn_pools.h"
15
#include "svn_error.h"
16
+#include "svn_ctype.h"
17
#include "svn_dirent_uri.h"
19
#include "svn_mergeinfo.h"
20
@@ -1806,6 +1807,78 @@
21
return svn_fs_fs__dag_dir_entries(table_p, node, pool, pool);
24
+/* Return a copy of PATH, allocated from POOL, for which control
25
+ characters have been escaped using the form \NNN (where NNN is the
26
+ octal representation of the byte's ordinal value). */
28
+illegal_path_escape(const char *path, apr_pool_t *pool)
30
+ svn_stringbuf_t *retstr;
31
+ apr_size_t i, copied = 0;
34
+ /* At least one control character:
35
+ strlen - 1 (control) + \ + N + N + N + null . */
36
+ retstr = svn_stringbuf_create_ensure(strlen(path) + 4, pool);
37
+ for (i = 0; path[i]; i++)
39
+ c = (unsigned char)path[i];
40
+ if (! svn_ctype_iscntrl(c))
43
+ /* If we got here, we're looking at a character that isn't
44
+ supported by the (or at least, our) URI encoding scheme. We
45
+ need to escape this character. */
47
+ /* First things first, copy all the good stuff that we haven't
48
+ yet copied into our output buffer. */
50
+ svn_stringbuf_appendbytes(retstr, path + copied,
53
+ /* Make sure buffer is big enough for '\' 'N' 'N' 'N' (and NUL) */
54
+ svn_stringbuf_ensure(retstr, retstr->len + 5);
55
+ /*### The backslash separator doesn't work too great with Windows,
56
+ but it's what we'll use for consistency with invalid utf8
57
+ formatting (until someone has a better idea) */
58
+ apr_snprintf(retstr->data + retstr->len, 5, "\\%03o", (unsigned char)c);
61
+ /* Finally, update our copy counter. */
65
+ /* If we didn't encode anything, we don't need to duplicate the string. */
66
+ if (retstr->len == 0)
69
+ /* Anything left to copy? */
71
+ svn_stringbuf_appendbytes(retstr, path + copied, i - copied);
73
+ /* retstr is null-terminated either by apr_snprintf or the svn_stringbuf
76
+ return retstr->data;
79
+/* Raise an error if PATH contains a newline because FSFS cannot handle
80
+ * such paths. See issue #4340. */
82
+check_newline(const char *path, apr_pool_t *pool)
86
+ for (c = path; *c; c++)
89
+ return svn_error_createf(SVN_ERR_FS_PATH_SYNTAX, NULL,
90
+ _("Invalid control character '0x%02x' in path '%s'"),
91
+ (unsigned char)*c, illegal_path_escape(path, pool));
94
+ return SVN_NO_ERROR;
97
/* Create a new directory named PATH in ROOT. The new directory has
98
no entries, and no properties. ROOT must be the root of a
101
const char *txn_id = root->txn;
103
+ SVN_ERR(check_newline(path, pool));
105
SVN_ERR(open_path(&parent_path, root, path, open_path_last_optional,
108
@@ -2082,6 +2157,8 @@
112
+ SVN_ERR(check_newline(to_path, pool));
114
return svn_error_trace(copy_helper(from_root, from_path, to_root, to_path,
117
@@ -2174,6 +2251,8 @@
119
const char *txn_id = root->txn;
121
+ SVN_ERR(check_newline(path, pool));
123
SVN_ERR(open_path(&parent_path, root, path, open_path_last_optional,