[Bug 1284641] Re: problem with paths with spaces with 12.04 client with 14.04 server

Stephane Chazelas stephane.chazelas at seebyte.com
Wed Feb 26 08:55:22 UTC 2014 

There's a problem with any DAV client, it's not only old svn client. So
I'll raise the issue upstreams.

I had raised it here because in the past, similar reports to upstreams
were answered with "then upgrade your client to fix the problem",  while
here it's a real concern for ubuntu.

But it is really a violation of the WebDAV protocol so I expect
upstreams will want to fix it.

Exceirpt of traffic between cadaver and mod_dav_svn 1.8.8, see how some
space and < and % characters are not escaped (but are in other
contexts).

I suppose it's not impossible that there be security implications as
someone may be able to craft a harmful PROPFIND response (since <, > are
not encoded) by adding crafted file names to the repository.

  PROPFIND /svn/ HTTP/1.1
  User-Agent: cadaver/0.23.3 neon/0.29.1
  Connection: TE
  TE: trailers
  Host: vm189-eth0.vmnet60
  Depth: 1
  Content-Length: 288
  Content-Type: application/xml

  <?xml version="1.0" encoding="utf-8"?>
  <propfind xmlns="DAV:"><prop>
  <getcontentlength xmlns="DAV:"/>
  <getlastmodified xmlns="DAV:"/>
  <executable xmlns="http://apache.org/dav/props/"/>
  <resourcetype xmlns="DAV:"/>
  <checked-in xmlns="DAV:"/>
  <checked-out xmlns="DAV:"/>
  </prop></propfind>


  HTTP/1.1 207 Multi-Status
  Date: Wed, 26 Feb 2014 08:40:23 GMT
  Server: Apache/2.4.7 (Ubuntu)
  Content-Length: 2549
  Content-Type: text/xml; charset="utf-8"

  <?xml version="1.0" encoding="utf-8"?>
  <D:multistatus xmlns:D="DAV:" xmlns:ns1="http://apache.org/dav/props/" xmlns:ns0="DAV:">
  <D:response xmlns:lp1="DAV:" xmlns:lp3="http://subversion.tigris.org/xmlns/dav/" xmlns:g0="DAV:" xmlns:g1="http://apache.org/dav/props/">
  <D:href>/svn/</D:href>
  <D:propstat>
  <D:prop>
  <lp1:getlastmodified>Tue, 25 Feb 2014 14:43:59 GMT</lp1:getlastmodified>
  <lp1:resourcetype><D:collection/></lp1:resourcetype>
  <lp1:checked-in><D:href>/svn/!svn/ver/5/</D:href></lp1:checked-in>
  </D:prop>
  <D:status>HTTP/1.1 200 OK</D:status>
  </D:propstat>
  <D:propstat>
  <D:prop>
  <g0:getcontentlength/>
  <g1:executable/>
  <g0:checked-out/>
  </D:prop>
  <D:status>HTTP/1.1 404 Not Found</D:status>
  </D:propstat>
  </D:response>
  <D:response xmlns:lp1="DAV:" xmlns:lp3="http://subversion.tigris.org/xmlns/dav/" xmlns:g0="http://apache.org/dav/props/" xmlns:g1="DAV:">
⇨ <D:href>/svn/a>b</D:href>
  <D:propstat>
  <D:prop>
  <lp1:getcontentlength>10</lp1:getcontentlength>
  <lp1:getlastmodified>Tue, 25 Feb 2014 13:09:01 GMT</lp1:getlastmodified>
  <lp1:resourcetype/>
  <lp1:checked-in><D:href>/svn/!svn/ver/3/a%3Eb</D:href></lp1:checked-in>
  </D:prop>
  <D:status>HTTP/1.1 200 OK</D:status>
  </D:propstat>
  <D:propstat>
  <D:prop>
  <g0:executable/>
  <g1:checked-out/>
  </D:prop>
  <D:status>HTTP/1.1 404 Not Found</D:status>
  </D:propstat>
  </D:response>
  <D:response xmlns:lp1="DAV:" xmlns:lp3="http://subversion.tigris.org/xmlns/dav/" xmlns:g0="DAV:" xmlns:g1="http://apache.org/dav/props/">
⇨ <D:href>/svn/A B/</D:href>
  <D:propstat>
  <D:prop>
  <lp1:getlastmodified>Tue, 25 Feb 2014 12:46:53 GMT</lp1:getlastmodified>
  <lp1:resourcetype><D:collection/></lp1:resourcetype>
  <lp1:checked-in><D:href>/svn/!svn/ver/1/A%20B</D:href></lp1:checked-in>
  </D:prop>
  <D:status>HTTP/1.1 200 OK</D:status>
  </D:propstat>
  <D:propstat>
  <D:prop>
  <g0:getcontentlength/>
  <g1:executable/>
  <g0:checked-out/>
  </D:prop>
  <D:status>HTTP/1.1 404 Not Found</D:status>
  </D:propstat>
  </D:response>
  <D:response xmlns:lp1="DAV:" xmlns:lp3="http://subversion.tigris.org/xmlns/dav/" xmlns:g0="http://apache.org/dav/props/" xmlns:g1="DAV:">
⇨ <D:href>/svn/%2F</D:href>
  <D:propstat>
  <D:prop>
  <lp1:getcontentlength>9</lp1:getcontentlength>
  <lp1:getlastmodified>Tue, 25 Feb 2014 14:43:59 GMT</lp1:getlastmodified>
  <lp1:resourcetype/>
  <lp1:checked-in><D:href>/svn/!svn/ver/5/%252F</D:href></lp1:checked-in>
  </D:prop>
  <D:status>HTTP/1.1 200 OK</D:status>
  </D:propstat>
  <D:propstat>
  <D:prop>
  <g0:executable/>
  <g1:checked-out/>
  </D:prop>
  <D:status>HTTP/1.1 404 Not Found</D:status>
  </D:propstat>
  </D:response>
  </D:multistatus>

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to subversion in Ubuntu.
https://bugs.launchpad.net/bugs/1284641

Title:
  problem with paths with spaces with 12.04 client with 14.04 server

Status in “subversion” package in Ubuntu:
  New

Bug description:
  source package: subversion
  bin package: libapache2-mod-svn

  The problem shows up with libapache2-mod-svn  1.8.8-1ubuntu3 on the
  current 14.04 (amd64 though that doesn't matter). It showed up in
  1.7.14 already.

  The problem is an interoperability problem with subversion clients
  prior to 1.7.x. Typically, ubuntu 12.04 clients (1.6.17) are affected
  by that bug. That means that anybody upgrading their server from 12.04
  to 14.04 are potentially going to be affected (unless they upgrade
  their clients beforehand)..

  There's a related bug with the subversion server coming with 13.10
  which I'll raise shortly.

  Newer clients (1.7 and above) are not affected even with
  "SVNAdvertiseV2Protocol Off" on the server (contrary to the 13.10
  bug).

  How to reproduce:

  On a 14.04 server (as root),

  apt-get install apache2 subversion libapache2-mod-svn
  a2enmod dav_svn
  svnadmin create /srv/svn
  chown -R www-data: /srv/svn
  cat > /etc/apache2/mods-available/dav_svn.conf << EOF
  <Location /svn>
    DAV svn
    SVNPath /srv/svn
  </Location>
  EOF
  service apache2 restart

  On a 12.04 client:

  svn co http://server/svn test
  cd test
  mkdir -p 'A B/C'
  echo test > 'A B/C/x'
  svn add 'A B'
  svn ci -m m1
  svn log 'A B/C/x'

  That svn log command will fail with:

  svn: Unable to parse URL '/svn/A B/C/x'

  A commit of a change on that "x" file will fail as well:

  echo test >> 'A B/C/x'
  svn ci -m m2

  When using svn log --config-option servers:global:neon-debug-mask=130 'A B/C/x'
  we see:

  Sending request headers:
  PROPFIND /svn/A%20B/C/x HTTP/1.1
  User-Agent: SVN/1.6.17 (r1128011) neon/0.29.6

  (OK)

  [status-line] < HTTP/1.1 207 Multi-Status
  [<?xml version="1.0" encoding="utf-8"?>
  <D:multistatus xmlns:D="DAV:" xmlns:ns1="http://subversion.tigris.org/xmlns/dav/" xmlns:ns0="DAV:">
  <D:response xmlns:lp1="DAV:" xmlns:lp2="http://subversion.tigris.org/xmlns/dav/">
  <D:href>/svn/A B/C/x</D:href>
  <D:propstat>
  <D:prop>
  <lp1:version-controlled-configuration><D:href>/svn/!svn/vcc/default</D:href></lp1:version-controlled-configuration>
  <lp1:resourcetype/>
  <lp2:baseline-relative-path>A B/C/x</lp2:baseline-relative-path>
  <lp2:repository-uuid>1e784bc0-1833-41df-a2eb-683d1610caa8</lp2:repository-uuid>
  </D:prop>
  <D:status>HTTP/1.1 200 OK</D:status>
  </D:propstat>
  </D:response>
  </D:multistatus>

  
  While the problem with 13.10 (1.7.9) was too much URI encoding (space turned to %20 itself turned into %2520), it looks like in this case there's not enough encoding (href being /svn/A B/C/x instead of /svn/A%20B/C/x above).

  It is really a bug because even < and > are not encoded. The reason
  why  newer clients work is because they send different HTTP requests
  (OPTIONS, REPORT and no PROPFIND even with V2 disabled).

  On 12.04, one can work around the problem by upgrading svn from the
  "svn" ppa (svn 1.7.9), but note that it breaks rapidsvn (segfault) and
  possibly other tools linking to libsvn.

  As show above, space is not the only character causing problem.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/subversion/+bug/1284641/+subscriptions

More information about the foundations-bugs mailing list