Home My Page Projects FusionForge
Summary Activity Forums Tracker Lists News SCM Files Mediawiki Hudson/Jenkins

[#617] SCM: impossible to make public repos created as private

Date:
2014-01-09 14:54
Priority:
4
State:
Closed
Submitted by:
Thorsten Glaser (mirabilos)
Assigned to:
Nobody (None)
Target Release:
6.0
Found in Version:
5.1.2
Severity:
normal
Resolution:
Fixed
Summary:
SCM: impossible to make public repos created as private

Detailed description
Ever since that major security fix, we have the problem that plugins/scmsvn/common/SVNPlugin.class.php has…

if ($project->enableAnonSCM()) {
system ("chmod -R g+wX,o+rX-w $repo") ;
} else {
system ("chmod -R g+wX,o-rwx $repo") ;
}

… only in the “create” case, and that later changes only do:

if ($project->enableAnonSCM()) {
system ("chmod g+wX,o+rX-w $repo") ;
} else {
system ("chmod g+wX,o-rwx $repo") ;
}

That is, without the -R.

I move that the chmod inside the 「if (!is_dir ($repo) || !is_file ("$repo/format"))」 block be changed to always enable o+rX-w, and only the top-level directory shall be used to switch repos between public and private. We will, of course, need appropriate update code in a postinst to convert already-done repositories.

I noticed this in scmsvn and have not looked at the other scm* plugins for whether they exhibit this problem too.
Message  ↓
Date: 2015-05-22 12:47
Sender: Sylvain Beucler

The migration script for 6.0 reset permissions, and 6.0 will only modify the top-level directory. Fixed :)

Date: 2014-02-09 16:04
Sender: Franck Villaume

I unset target release since this bug is not yet fixed.

Date: 2014-01-09 15:14
Sender: Thorsten Glaser

Indeed, but this does not apply any more. Basically, what you wanted for speedup has already been applied because of security.

I wanted to have this tracked so we can all think about how to best fix this without impeding security again. I’ve attached a patch as basis for discussion.

Date: 2014-01-09 15:07
Sender: Julien HEYMAN

Hi, I have submit a similar patch for svn and cvs on 5.1.1 : https://fusionforge.org/tracker/index.php?func=detail&aid=460&group_id=6&atid=107

Attachments:
Size Name Date By Download
892 bytessuggest-patch.txt2014-01-09 15:14mirabilossuggest-patch.txt
Field Old Value Date By
ResolutionAccepted As Bug2015-05-22 12:48beuc-inria
status_idOpen2015-05-22 12:47beuc-inria
close_dateNone2015-05-22 12:47beuc-inria
Target ReleaseNone2015-05-22 12:47beuc-inria
Target Release5.1.32014-02-09 16:04nerville
File Added391: suggest-patch.txt2014-01-09 15:14mirabilos