I assume the server would error if someone removed this check on the client side?
rhuij...@apache.org wrote on Wed, May 04, 2011 at 00:04:29 -0000: > Author: rhuijben > Date: Wed May 4 00:04:29 2011 > New Revision: 1099298 > > URL: http://svn.apache.org/viewvc?rev=1099298&view=rev > Log: > In libsvn_ra_serf check if a reparenting operation doesn't step outside the > repository. This matches the test performed by ra_local. > > * subversion/libsvn_ra_serf/serf.c > (svn_ra_serf__reparent): Verify if the new session uri is still in the same > repository. > > Modified: > subversion/trunk/subversion/libsvn_ra_serf/serf.c > > Modified: subversion/trunk/subversion/libsvn_ra_serf/serf.c > URL: > http://svn.apache.org/viewvc/subversion/trunk/subversion/libsvn_ra_serf/serf.c?rev=1099298&r1=1099297&r2=1099298&view=diff > ============================================================================== > --- subversion/trunk/subversion/libsvn_ra_serf/serf.c (original) > +++ subversion/trunk/subversion/libsvn_ra_serf/serf.c Wed May 4 00:04:29 2011 > @@ -456,7 +456,20 @@ svn_ra_serf__reparent(svn_ra_session_t * > return SVN_NO_ERROR; > } > > - /* Do we need to check that it's the same host and port? */ > + if (!session->repos_root_str) > + { > + const char *vcc_url; > + SVN_ERR(svn_ra_serf__discover_vcc(&vcc_url, session, NULL, pool)); > + } > + > + if (!svn_uri_is_ancestor(session->repos_root_str, url)) > + { > + return svn_error_createf( > + SVN_ERR_RA_ILLEGAL_URL, NULL, > + _("URL '%s' is not a child of the session's repository root " > + "URL '%s'"), url, session->repos_root_str); > + } > + > status = apr_uri_parse(session->pool, url, &new_url); > if (status) > { > >
