Details
-
Bug
-
Resolution: Tracked Elsewhere
-
Medium
-
None
Description
If a Subversion repository contains a file that has a path containing URL decodable sequences (%XX where X is a 0-9 or A-F) or spaces then recursive operations fail when the HTTP or HTTPS protocol is used.
For example if there is a path in the repository such as /branches/dir-with-percents-%28brackets%29/file.txt then
svn info -R http://SERVER/branches
fails with an error similar to:
Repository paused due to error com.cenqua.fisheye.rep.RepositoryClientException: org.apache.subversion.javahl.ClientException: svn: E160013: '/svn/repository/!svn/bc/2/branches/dir-with-percents-(brackets)/file.txt' path not found: 404 Not Found (http://SERVER) org.apache.subversion.javahl.ClientException: svn: E160013: '/svn/repository/!svn/bc/2/branches/dir-with-percents-(brackets)/file.txt' path not found: 404 Not Found (http://SERVER) org.tmatesoft.svn.core.SVNException: svn: E160013: '/svn/repository/!svn/bc/2/branches/dir-with-percents-(brackets)/file.txt' path not found: 404 Not Found (http://SERVER)
The problem is caused by the improper escaping of URIs in mod_dav. This issue has been reintroduced is some Apache Httpd releases, however it seems to be finally fixed in Httpd 2.4.10. More information is available here:
- https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1284641
- https://bz.apache.org/bugzilla/show_bug.cgi?id=56480
- https://bz.apache.org/bugzilla/show_bug.cgi?id=55397
- https://bz.apache.org/bugzilla/show_bug.cgi?id=54611
For example calling
svn info -R http://SERVER/branches
Makes a PROPFIND HTTP request to the SVN repository, similar to the following:
curl -H "Depth: 1" -X PROPFIND http://SERVER/repo/\!svn/rvr/5/branches
Where the proper response looks like (Apache Httpd 2.2.31):
<?xml version="1.0" encoding="utf-8"?> <D:multistatus xmlns:D="DAV:"> <D:response xmlns:S="http://subversion.tigris.org/xmlns/svn/" ...> <D:href>/repo/!svn/rvr/5/branches/</D:href> ... </D:response> <D:response xmlns:S="http://subversion.tigris.org/xmlns/svn/"...> <D:href>/repo/!svn/rvr/5/branches/dir-with-percents-%2528brackets%2529/</D:href> <!-- NOTE THE DIFFERENCE HERE. % is escaped resulting in %25 string --> ...
A vulnerable version of Httpd won't escape the % character causing the output to look like (Apache Httpd 2.2.26):
<?xml version="1.0" encoding="utf-8"?> <D:multistatus xmlns:D="DAV:"> <D:response xmlns:S="http://subversion.tigris.org/xmlns/svn/" ...> <D:href>/repo/!svn/rvr/5/branches/</D:href> ... </D:response> <D:response xmlns:S="http://subversion.tigris.org/xmlns/svn/" ...> <D:href>/repo/!svn/rvr/5/branches/dir-with-percents-%28brackets%29/</D:href> <!-- NOTE THE DIFFERENCE HERE. % is not escaped --> ...
Workaround
- Upgrade Apache Httpd to version 2.4.10+
- Configure Fisheye repository to use file:// (possibly with svnsync) or svn://.
- Protocol svn+ssh:// cannot be used due to an existing bug in SVNKit: https://issues.tmatesoft.com/issue/SVNKIT-476
Attachments
Issue Links
- is related to
-
FE-5636 FishEye SVN Indexing Fails When Filenames contain backslash
- Closed
- relates to
-
FE-5809 Indexing stopped due to to error com.cenqua.fisheye.rep.RepositoryClientException
- Closed
- links to
- mentioned in
-
Page Loading...
-
Page Loading...
-
Page Loading...
-
Page Loading...
-
Page Loading...
-
Page Loading...
-
Page Loading...
-
Page Loading...
-
Page Loading...
-
Page Loading...
-
Page Loading...
-
Page Loading...
-
Page Loading...
-
Page Loading...
-
Page Loading...