Vincent Lefevre wrote on Mon, 24 Oct 2022 13:57 +00:00: > "svn" goes up in the directory hierarchy to look for a .svn directory. > The issue is that it doesn't stop at filesystem and/or owner change.
Why should the upwards scan stop at mount points? Because accessing /home/.svn on a random machine in your lab hangs? That's insufficient justification. Why should the upwards scan stop at owner change? What's the facts of the setup (a concrete example with relevant ownerships and permissions specified) and what could Mallory do that he shouldn't be able to? Feel free to reply on security@ if the matter isn't suitable for public discussion. > This has several consequences: > > * A potential security issue, because some .svn directory may be > under control of another user. > > * On some machine at my lab (Debian/stable), this makes svn hang > when trying to open "/home/.svn", which is the home dir of the > user ".svn" (FYI, emacs tries to get the svn status of a file > when opening it). > > This is reproducible with > > svn, version 1.14.2 (r1899510) > compiled Oct 20 2022, 08:12:24 on x86_64-pc-linux-gnu > > under Debian/unstable. > > On the Debian/stable machine, this issue is made worse by the fact > that svn still goes up after a svn working copy has been reached: > > patate:~/private/backup> svn info > > hangs, but not > > patate:~/private> svn info > svn: E155036: Please see the 'svn upgrade' command > svn: E155036: The working copy at '/home/vlefevre/private' > is too old (format 9) to work with client version '1.14.1 (r1886195)' > (expects format 31). You need to upgrade the working copy first. > > which fails immediately (this was probably a very old svn working copy, > which I no longer use). Not everyone uses Debian, so saying "the version of svn in Debian stable" is farther right on the https://xkcd.com/1343/ scale than it could be. Distro version number and codename and package version number is what I'd recommend. Cheers, Daniel > -- > Vincent Lefèvre <vinc...@vinc17.net> - Web: <https://www.vinc17.net/> > 100% accessible validated (X)HTML - Blog: <https://www.vinc17.net/blog/> > Work: CR INRIA - computer arithmetic / AriC project (LIP, ENS-Lyon)
