retitle 437148 "svn", "svnserve" command passthrough is unsafe thanks
* Joachim Breitner: >> So what? You still need a second channel to access that repository >> using the Subversion protocol. scponly access alone is not >> sufficient. > > It is, as you can run “svn” in the scponly shell, in Debian’s current > configuration. If in doubt, please re-try the steps I took in the > original report. Ah, I see. Passing through plain "svn" commands is a really, really stupid thing to do. I couldn't image that scponly doing this. Other holes introducd by "svn" pass-through: svn checkout (write arbitrary files) svn diff --diff-cmd (arbitrary command execution) svn export (write arbitrary files) svn propedit --editor-cmd (arbitrary command execution) And likely a few more. Your example shows that "svnserve" isn't safe, either.
