On 2022-11-06 04:59:19 +0100, Vincent Lefevre wrote: > I'm also wondering of the consequence of symlinks .svn/entries to > /path-to-attacked-user/.svn/entries, etc. except for the pristine > subdirectory, which Mallory creates as world-writable. If the user > does a "svn up", could this populate the pristine subdirectory > (owned by Mallory)?
In case this is not clear: Mallory owns the "/home/.svn" directory. The user's home is "/home/user". The user has a working copy "/home/user/private-wc" and Mallory knows that (or at least can guess). The symlinks would be: /home/.svn/entries -> /home/user/private-wc/.svn/entries and ditto for "format", "tmp", "wc.db", "wc.db-journal". Actually this doesn't seem to work as svn expects .svn-base files (with a test using ~/software/test/.svn instead of /home/.svn): zira:~/software/test> svn up svn: E155009: Failed to run the WC DB work queue associated with '/home/vinc17/software/test/README', work item 2510 (file-install README 1 0 1 1) svn: E000002: Can't open file '/home/vinc17/software/test/.svn/pristine/41/412b65baed0c5ba451a7151c8630c135b6116557.svn-base': No such file or directory However, this modifies the user's working copy (which shouldn't have been touched), as "svn up" gives from this working copy: svn: E155037: Previous operation has not finished; run 'cleanup' if it was interrupted This is bad. -- Vincent Lefèvre <vinc...@vinc17.net> - Web: <https://www.vinc17.net/> 100% accessible validated (X)HTML - Blog: <https://www.vinc17.net/blog/> Work: CR INRIA - computer arithmetic / AriC project (LIP, ENS-Lyon)
