On the 1.7.x-md5-collision branch: Merge r1550691, r1550772, r1600909 from trunk.
svn_hash_gets(...) was changed to apr_hash_get(..., APR_HASH_KEY_STRING) since
the svn_hash_gets() macro was not available in 1.7.x.
git-svn-id: https://svn.apache.org/repos/asf/subversion/branches/1.7.x-md5-collision@1600983 13f79535-47bb-0310-9956-ffa450edef68
diff --git a/subversion/libsvn_subr/config_auth.c b/subversion/libsvn_subr/config_auth.c
index bdf8f2f..3e8f3b6 100644
--- a/subversion/libsvn_subr/config_auth.c
+++ b/subversion/libsvn_subr/config_auth.c
@@ -90,6 +90,7 @@
if (kind == svn_node_file)
{
svn_stream_t *stream;
+ svn_string_t *stored_realm;
SVN_ERR_W(svn_stream_open_readonly(&stream, auth_path, pool, pool),
_("Unable to open auth file for reading"));
@@ -100,6 +101,12 @@
apr_psprintf(pool, _("Error parsing '%s'"),
svn_dirent_local_style(auth_path, pool)));
+ stored_realm = apr_hash_get(*hash, SVN_CONFIG_REALMSTRING_KEY,
+ APR_HASH_KEY_STRING);
+
+ if (!stored_realm || strcmp(stored_realm->data, realmstring) != 0)
+ *hash = NULL; /* Hash collision, or somebody tampering with storage */
+
SVN_ERR(svn_stream_close(stream));
}
