| Server IP : 85.214.239.14 / Your IP : 18.225.98.191 Web Server : Apache/2.4.61 (Debian) System : Linux h2886529.stratoserver.net 4.9.0 #1 SMP Tue Jan 9 19:45:01 MSK 2024 x86_64 User : www-data ( 33) PHP Version : 7.4.18 Disable Function : pcntl_alarm,pcntl_fork,pcntl_waitpid,pcntl_wait,pcntl_wifexited,pcntl_wifstopped,pcntl_wifsignaled,pcntl_wifcontinued,pcntl_wexitstatus,pcntl_wtermsig,pcntl_wstopsig,pcntl_signal,pcntl_signal_get_handler,pcntl_signal_dispatch,pcntl_get_last_error,pcntl_strerror,pcntl_sigprocmask,pcntl_sigwaitinfo,pcntl_sigtimedwait,pcntl_exec,pcntl_getpriority,pcntl_setpriority,pcntl_async_signals,pcntl_unshare, MySQL : OFF | cURL : OFF | WGET : ON | Perl : ON | Python : ON | Sudo : ON | Pkexec : OFF Directory : /proc/3/cwd/usr/share/subversion/hook-scripts/ |
Upload File : |
#!/usr/bin/python3
# Licensed under the same terms as Subversion: the Apache License, Version 2.0
#
# pre-commit hook script for Subversion CVE-2017-9800
#
# This prevents commits that set svn:externals containing suspicions
# svn+ssh:// URLs.
#
# With this script installed a commit like the one below should fail:
#
# svnmucc -mm propset svn:externals 'svn+ssh://-localhost/X X' REPOSITORY-URL
import sys, locale, urllib, urlparse, curses.ascii
from svn import wc, repos, fs
# A simple whitelist to ensure these are not suspicious:
# user@server
# [::1]:22
# server-name
# server_name
# 127.0.0.1
# with an extra restriction that a leading '-' is suspicious.
def suspicious_host(host):
if host[0] == '-':
return True
for char in host:
if not curses.ascii.isalnum(char) and not char in ':.-_[]@':
return True
return False
native = locale.getlocale()[1]
if not native: native = 'ascii'
repos_handle = repos.open(sys.argv[1].decode(native).encode('utf-8'))
fs_handle = repos.fs(repos_handle)
txn_handle = fs.open_txn(fs_handle, sys.argv[2].decode(native).encode('utf-8'))
txn_root = fs.txn_root(txn_handle)
rev_root = fs.revision_root(fs_handle, fs.txn_root_base_revision(txn_root))
for path, change in fs.paths_changed2(txn_root).iteritems():
if change.prop_mod:
# The new value, if any
txn_prop = fs.node_prop(txn_root, path, "svn:externals")
if not txn_prop:
continue
# The old value, if any
rev_prop = None
if change.change_kind == fs.path_change_modify:
rev_prop = fs.node_prop(rev_root, path, "svn:externals")
elif change.change_kind == fs.path_change_add and change.copyfrom_path:
copy_root = fs.revision_root(fs_handle, change.copyfrom_rev)
rev_prop = fs.node_prop(copy_root, change.copyfrom_path,
"svn:externals")
if txn_prop != rev_prop:
error_path = path.decode('utf-8').encode(native, 'replace')
externals = []
try:
externals = wc.parse_externals_description2(path, txn_prop)
except:
sys.stderr.write("Commit blocked due to parse failure "
"on svn:externals for %s\n" % error_path)
sys.exit(1)
for external in externals:
parsed = urlparse.urlparse(urllib.unquote(external.url))
if (parsed and parsed.scheme[:4] == "svn+"
and suspicious_host(parsed.netloc)):
sys.stderr.write("Commit blocked due to suspicious URL "
"containing %r in svn:externals "
"for %s\n" % (parsed.netloc, error_path))
sys.exit(1)