From 61382fd8ea66000bd9ee8e203a6eab443220ee40 Mon Sep 17 00:00:00 2001 From: Nathan Hartman Date: Sun, 27 Mar 2022 05:59:18 +0000 Subject: [PATCH] On the 1.14.x-r1899227 branch: Merge r1899227 from trunk w/testlist variation git-svn-id: https://svn.apache.org/repos/asf/subversion/branches/1.14.x-r1899227@1899229 13f79535-47bb-0310-9956-ffa450edef68 CVE: CVE-2021-28544 [https://github.com/apache/subversion/commit/61382fd8ea66000bd9ee8e203a6eab443220ee40] Upstream-Status: Backport Signed-off-by: Chee Yang Lee --- subversion/libsvn_repos/log.c | 26 +++++------- subversion/tests/cmdline/authz_tests.py | 55 +++++++++++++++++++++++++ 2 files changed, 65 insertions(+), 16 deletions(-) diff --git a/subversion/libsvn_repos/log.c b/subversion/libsvn_repos/log.c index d9a1fb1085e16..41ca8aed27174 100644 --- a/subversion/libsvn_repos/log.c +++ b/subversion/libsvn_repos/log.c @@ -337,42 +337,36 @@ detect_changed(svn_repos_revision_access_level_t *access_level, if ( (change->change_kind == svn_fs_path_change_add) || (change->change_kind == svn_fs_path_change_replace)) { - const char *copyfrom_path = change->copyfrom_path; - svn_revnum_t copyfrom_rev = change->copyfrom_rev; - /* the following is a potentially expensive operation since on FSFS we will follow the DAG from ROOT to PATH and that requires actually reading the directories along the way. */ if (!change->copyfrom_known) { - SVN_ERR(svn_fs_copied_from(©from_rev, ©from_path, + SVN_ERR(svn_fs_copied_from(&change->copyfrom_rev, &change->copyfrom_path, root, path, iterpool)); change->copyfrom_known = TRUE; } - if (copyfrom_path && SVN_IS_VALID_REVNUM(copyfrom_rev)) + if (change->copyfrom_path && SVN_IS_VALID_REVNUM(change->copyfrom_rev)) { - svn_boolean_t readable = TRUE; - if (callbacks->authz_read_func) { svn_fs_root_t *copyfrom_root; + svn_boolean_t readable; SVN_ERR(svn_fs_revision_root(©from_root, fs, - copyfrom_rev, iterpool)); + change->copyfrom_rev, iterpool)); SVN_ERR(callbacks->authz_read_func(&readable, copyfrom_root, - copyfrom_path, + change->copyfrom_path, callbacks->authz_read_baton, iterpool)); if (! readable) - found_unreadable = TRUE; - } - - if (readable) - { - change->copyfrom_path = copyfrom_path; - change->copyfrom_rev = copyfrom_rev; + { + found_unreadable = TRUE; + change->copyfrom_path = NULL; + change->copyfrom_rev = SVN_INVALID_REVNUM; + } } } } diff --git a/subversion/tests/cmdline/authz_tests.py b/subversion/tests/cmdline/authz_tests.py index 760cb3663d02f..92e8a5e1935c9 100755 --- a/subversion/tests/cmdline/authz_tests.py +++ b/subversion/tests/cmdline/authz_tests.py @@ -1731,6 +1731,60 @@ def empty_group(sbox): '--username', svntest.main.wc_author, sbox.repo_url) +@Skip(svntest.main.is_ra_type_file) +def log_inaccessible_copyfrom(sbox): + "log doesn't leak inaccessible copyfrom paths" + + sbox.build(empty=True) + sbox.simple_add_text('secret', 'private') + sbox.simple_commit(message='log message for r1') + sbox.simple_copy('private', 'public') + sbox.simple_commit(message='log message for r2') + + svntest.actions.enable_revprop_changes(sbox.repo_dir) + # Remove svn:date and svn:author for predictable output. + svntest.actions.run_and_verify_svn(None, [], 'propdel', '--revprop', + '-r2', 'svn:date', sbox.repo_url) + svntest.actions.run_and_verify_svn(None, [], 'propdel', '--revprop', + '-r2', 'svn:author', sbox.repo_url) + + write_restrictive_svnserve_conf(sbox.repo_dir) + + # First test with blanket access. + write_authz_file(sbox, + {"/" : "* = rw"}) + expected_output = svntest.verify.ExpectedOutput([ + "------------------------------------------------------------------------\n", + "r2 | (no author) | (no date) | 1 line\n", + "Changed paths:\n", + " A /public (from /private:1)\n", + "\n", + "log message for r2\n", + "------------------------------------------------------------------------\n", + ]) + svntest.actions.run_and_verify_svn(expected_output, [], + 'log', '-r2', '-v', + sbox.repo_url) + + # Now test with an inaccessible copy source (/private). + write_authz_file(sbox, + {"/" : "* = rw"}, + {"/private" : "* ="}) + expected_output = svntest.verify.ExpectedOutput([ + "------------------------------------------------------------------------\n", + "r2 | (no author) | (no date) | 1 line\n", + "Changed paths:\n", + # The copy is shown as a plain add with no copyfrom info. + " A /public\n", + "\n", + # No log message, as the revision is only partially visible. + "\n", + "------------------------------------------------------------------------\n", + ]) + svntest.actions.run_and_verify_svn(expected_output, [], + 'log', '-r2', '-v', + sbox.repo_url) + ######################################################################## # Run the tests @@ -1771,6 +1825,7 @@ def empty_group(sbox): inverted_group_membership, group_member_empty_string, empty_group, + log_inaccessible_copyfrom, ] serial_only = True