Ever since that major security fix, we have the problem that plugins/scmsvn/common/SVNPlugin.class.php has…
if ($project->enableAnonSCM()) {
system ("chmod -R g+wX,o+rX-w $repo") ;
} else {
system ("chmod -R g+wX,o-rwx $repo") ;
}
… only in the “create” case, and that later changes only do:
if ($project->enableAnonSCM()) {
system ("chmod g+wX,o+rX-w $repo") ;
} else {
system ("chmod g+wX,o-rwx $repo") ;
}
That is, without the -R.
I move that the chmod inside the 「if (!isdir ($repo) || !isfile ("$repo/format"))」 block be changed to always enable o+rX-w, and only the top-level directory shall be used to switch repos between public and private. We will, of course, need appropriate update code in a postinst to convert already-done repositories.
I noticed this in scmsvn and have not looked at the other scm* plugins for whether they exhibit this problem too.
|