www/security/CVE-2007-2448-advisory.txt - subversion - Git at Google

 Subversion versions up to and including 1.4.3 have a bug which allows,
 in certain specific scenarios, data stripped from the output of 'svn
 log' due to the requesting user's lack of access priveleges to be
 visible via 'svn propget', 'svn proplist', and 'svn propedit'.

 Details:
 ========

 Like most version control systems, access to versioned objects in
 Subversion is determined on primarily path-based system.  Users either
 do or don't have the ability to read a given path.

 However, unlike many version control systems where versioned objects
 maintain their own distinct version information (revision numbers,
 authors, log messages, change timestamps, etc.), Subversion binds
 multiple paths changed as part of a single commit operation into a
 set, calls the whole thing a revision, and hangs commit metadata
 (author, date, log message, etc.) off of that revision.  So, commit
 metadata is shared across all the paths changed as part of a given
 commit operation.

 It is common for log messages to give detailed information about
 changes made in the commit to which the log message is attached.  Such
 information might include a mention of all the files changed, what was
 changed in them, and so on.  But this causes a problem when presenting
 information to readers who aren't authorized to read every path in the
 repository.  Simply knowing that a given path exists may be a security
 leak, even if the user can't see the contents of the data located at
 that path.

 So Subversion does what it reasonably can to prevent the leak of this
 information, and does so via a staged revision access policy.  A
 reader can be said to have one of three levels of access to a given
 revision's metadata, based solely on the reader's access rights to the
 paths changed or copied in that revision:

   'full access' -- Granted when the reader has access to all paths
      changed or copied in the revision, or when no paths were
      changed in the revision at all, this access level permits
      full visibility of all revision property names and values,
      and the full changed-paths information.

   'no access' -- Granted when the reader does not have access to any
      paths changed or copied in the revision, this access level
      denies the reader access to all revision properties and all
      changed-paths information.

   'partial access' -- Granted when the reader has access to at least
      one, but not all, of the paths changed or copied in the revision,
      this access level permits visibility of the svn:date and
      svn:author revision properties and only the paths of the
      changed-paths information to which the reader has access.

 The bug covered in this advisory causes readers who should be granted
 'partial access' to a revision to instead be granted 'full access' for
 certain revision-property-related query operations.  This situation
 occurs when the reader

    * has access to all paths changed in the revision, but

    * does not have access to all the paths copied in the revision, and

    * is using the following subcommands (or the APIs behind them):
      svn propget, svn proplist, svn propedit.

 An example:

 If in a given revision path /public/document.txt was created as a copy
 of /private/document.txt, and a reader has sufficient authorization to
 read /public/document.txt but not to read /private/document.txt,
 that reader should be granted partial access to the revision.  And, in
 fact, 'svn log' (and the APIs behind it) will grant the proper access
 level.  But the aforementioned 'svn prop*' commands fail to take copy
 source paths into consideration when making a revision access level
 determination -- meaning they only check the reader's access to the
 copy destination (the actual path changed) -- and will grant this
 reader full access.  Where 'svn log' would reveal only the author and
 datestamp of the revision, 'svn prop*' would allow the reader to see
 all of the revision properties, including the log message.

 Severity:
 =========

 This is expected to be a rare scenario.  While path-based
 authorization is common practice, data is not commonly copied from a
 private location to a public one.  The 'svn prop*' commands only
 reveal the contents of properties, not the revision's changed-paths
 information.  And, of course, this bug does not permit anyone to see
 file contents or directory listings that they should not.  Information
 leaked via this bug is limited to the contents of revision properties
 associated with revisions whose changed-path information meets the
 specific criteria mentioned above.

 Workarounds:
 ============

 Log messages and other revision properties can be modified at any
 time, so if you believe your repository contains revision properties
 which might reveal in this scenario information best left unrevealed,
 you can change or remove (perhaps temporarily) the property values.

 Recommendations:
 ================


 References:
 ===========

 CVE-2007-2448:
	Subversion versions up to and including 1.4.3 have a bug which allows,
	in certain specific scenarios, data stripped from the output of 'svn
	log' due to the requesting user's lack of access priveleges to be
	visible via 'svn propget', 'svn proplist', and 'svn propedit'.

	Details:
	========

	Like most version control systems, access to versioned objects in
	Subversion is determined on primarily path-based system. Users either
	do or don't have the ability to read a given path.

	However, unlike many version control systems where versioned objects
	maintain their own distinct version information (revision numbers,
	authors, log messages, change timestamps, etc.), Subversion binds
	multiple paths changed as part of a single commit operation into a
	set, calls the whole thing a revision, and hangs commit metadata
	(author, date, log message, etc.) off of that revision. So, commit
	metadata is shared across all the paths changed as part of a given
	commit operation.

	It is common for log messages to give detailed information about
	changes made in the commit to which the log message is attached. Such
	information might include a mention of all the files changed, what was
	changed in them, and so on. But this causes a problem when presenting
	information to readers who aren't authorized to read every path in the
	repository. Simply knowing that a given path exists may be a security
	leak, even if the user can't see the contents of the data located at
	that path.

	So Subversion does what it reasonably can to prevent the leak of this
	information, and does so via a staged revision access policy. A
	reader can be said to have one of three levels of access to a given
	revision's metadata, based solely on the reader's access rights to the
	paths changed or copied in that revision:

	'full access' -- Granted when the reader has access to all paths
	changed or copied in the revision, or when no paths were
	changed in the revision at all, this access level permits
	full visibility of all revision property names and values,
	and the full changed-paths information.

	'no access' -- Granted when the reader does not have access to any
	paths changed or copied in the revision, this access level
	denies the reader access to all revision properties and all
	changed-paths information.

	'partial access' -- Granted when the reader has access to at least
	one, but not all, of the paths changed or copied in the revision,
	this access level permits visibility of the svn:date and
	svn:author revision properties and only the paths of the
	changed-paths information to which the reader has access.

	The bug covered in this advisory causes readers who should be granted
	'partial access' to a revision to instead be granted 'full access' for
	certain revision-property-related query operations. This situation
	occurs when the reader

	* has access to all paths changed in the revision, but

	* does not have access to all the paths copied in the revision, and

	* is using the following subcommands (or the APIs behind them):
	svn propget, svn proplist, svn propedit.

	An example:

	If in a given revision path /public/document.txt was created as a copy
	of /private/document.txt, and a reader has sufficient authorization to
	read /public/document.txt but not to read /private/document.txt,
	that reader should be granted partial access to the revision. And, in
	fact, 'svn log' (and the APIs behind it) will grant the proper access
	level. But the aforementioned 'svn prop*' commands fail to take copy
	source paths into consideration when making a revision access level
	determination -- meaning they only check the reader's access to the
	copy destination (the actual path changed) -- and will grant this
	reader full access. Where 'svn log' would reveal only the author and
	datestamp of the revision, 'svn prop*' would allow the reader to see
	all of the revision properties, including the log message.

	Severity:
	=========

	This is expected to be a rare scenario. While path-based
	authorization is common practice, data is not commonly copied from a
	private location to a public one. The 'svn prop*' commands only
	reveal the contents of properties, not the revision's changed-paths
	information. And, of course, this bug does not permit anyone to see
	file contents or directory listings that they should not. Information
	leaked via this bug is limited to the contents of revision properties
	associated with revisions whose changed-path information meets the
	specific criteria mentioned above.

	Workarounds:
	============

	Log messages and other revision properties can be modified at any
	time, so if you believe your repository contains revision properties
	which might reveal in this scenario information best left unrevealed,
	you can change or remove (perhaps temporarily) the property values.

	Recommendations:
	================


	References:
	===========

	CVE-2007-2448: