Merge lp:~spiv/bzr/bug-400535 into lp:~bzr/bzr/trunk-old
Proposed by
Andrew Bennetts
Status: | Merged | ||||
---|---|---|---|---|---|
Merged at revision: | not available | ||||
Proposed branch: | lp:~spiv/bzr/bug-400535 | ||||
Merge into: | lp:~bzr/bzr/trunk-old | ||||
Diff against target: | 162 lines | ||||
To merge this branch: | bzr merge lp:~spiv/bzr/bug-400535 | ||||
Related bugs: |
|
Reviewer | Review Type | Date Requested | Status |
---|---|---|---|
Robert Collins (community) | Approve | ||
Review via email: mp+9031@code.launchpad.net |
To post a comment you must log in.
This patch fixes a serious bug in 1.16 and 1.17rc1. cmd_serve was refactored in
May to split out a “serve_bzr” function that takes care of creating a
ChrootServer for the specified directory and then starting a TCP or inet server
with that backing transport. Unfortunately, the refactoring introduced a bug
where the ChrootServer is ignored, and the plain LocalTransport is served
directly.
Thankfully, this doesn't appear to cause any security holes because invalid
paths like "../../../foo" are rejected by the smart server request handler
immediately, and requests that would try to walk up the filesystem to find a
BzrDir get stopped by the BzrDir.open jail that was recently introduced.
It's possible I've missed something and there is a way to exploit this bug to
trick an existing smart request into revealing data from outside the designated
directory, perhaps in conjunction with a server-side plugin, but so far I
haven't found any.
So, this patch fixes the essentially trivial bug, and adds a rather complicated
cmd_serve blackbox test that to prevent it regressing.
I suspect this bug also causes <https:/ /bugs.launchpad .net/bzr/ +bug/398199>, or
is at least contributing to it.
Because the bug is so serious, and because the fix is so obviously correct, this
fix should be included in 1.17 as well as bzr.dev.
-Andrew.