Uploaded image for project: 'FishEye'
  1. FishEye
  2. FE-5551

SVN E160013 404 Not Found for paths with url decodable seqences

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Medium
    • Resolution: Tracked Elsewhere
    • Affects Version/s: None
    • Fix Version/s: N/A
    • Component/s: Indexing - SVN
    • Labels:
    • Epic Link:
    • Regular Expression:
      org\.apache\.subversion\.javahl\.ClientException: svn: E160013: .*? path not found: 404 Not Found

      Description

      If a Subversion repository contains a file that has a path containing URL decodable sequences (%XX where X is a 0-9 or A-F) or spaces then recursive operations fail when the HTTP or HTTPS protocol is used.

      For example if there is a path in the repository such as /branches/dir-with-percents-%28brackets%29/file.txt then

      svn info -R http://SERVER/branches
      

      fails with an error similar to:

      Repository paused due to error com.cenqua.fisheye.rep.RepositoryClientException: org.apache.subversion.javahl.ClientException: svn: E160013: '/svn/repository/!svn/bc/2/branches/dir-with-percents-(brackets)/file.txt' path not found: 404 Not Found (http://SERVER) org.apache.subversion.javahl.ClientException: svn: E160013: '/svn/repository/!svn/bc/2/branches/dir-with-percents-(brackets)/file.txt' path not found: 404 Not Found (http://SERVER) org.tmatesoft.svn.core.SVNException: svn: E160013: '/svn/repository/!svn/bc/2/branches/dir-with-percents-(brackets)/file.txt' path not found: 404 Not Found (http://SERVER)
      

      The problem is caused by the improper escaping of URIs in mod_dav. This issue has been reintroduced is some Apache Httpd releases, however it seems to be finally fixed in Httpd 2.4.10. More information is available here:

      For example calling

      svn info -R http://SERVER/branches
      

      Makes a PROPFIND HTTP request to the SVN repository, similar to the following:

      curl -H "Depth: 1" -X PROPFIND http://SERVER/repo/\!svn/rvr/5/branches
      

      Where the proper response looks like (Apache Httpd 2.2.31):

      <?xml version="1.0" encoding="utf-8"?>
      <D:multistatus xmlns:D="DAV:">
        <D:response xmlns:S="http://subversion.tigris.org/xmlns/svn/" ...>
          <D:href>/repo/!svn/rvr/5/branches/</D:href>
          ...
        </D:response>
        <D:response xmlns:S="http://subversion.tigris.org/xmlns/svn/"...>
          <D:href>/repo/!svn/rvr/5/branches/dir-with-percents-%2528brackets%2529/</D:href> <!-- NOTE THE DIFFERENCE HERE. % is escaped resulting in %25 string -->
         ...
      

      A vulnerable version of Httpd won't escape the % character causing the output to look like (Apache Httpd 2.2.26):

      <?xml version="1.0" encoding="utf-8"?>
      <D:multistatus xmlns:D="DAV:">
        <D:response xmlns:S="http://subversion.tigris.org/xmlns/svn/" ...>
          <D:href>/repo/!svn/rvr/5/branches/</D:href>
          ...
        </D:response>
        <D:response xmlns:S="http://subversion.tigris.org/xmlns/svn/" ...>
          <D:href>/repo/!svn/rvr/5/branches/dir-with-percents-%28brackets%29/</D:href>  <!-- NOTE THE DIFFERENCE HERE. % is not escaped -->
         ...
      

      Workaround

      1. Upgrade Apache Httpd to version 2.4.10+
      2. Configure Fisheye repository to use file:// (possibly with svnsync) or svn://.
        1. Protocol svn+ssh:// cannot be used due to an existing bug in SVNKit: https://issues.tmatesoft.com/issue/SVNKIT-476

        Attachments

          Issue Links

            Activity

              People

              • Votes:
                2 Vote for this issue
                Watchers:
                15 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved:
                  Last commented:
                  2 years, 10 weeks ago