There's a problem with any DAV client, it's not only old svn client. So I'll raise the issue upstreams.
I had raised it here because in the past, similar reports to upstreams were answered with "then upgrade your client to fix the problem", while here it's a real concern for ubuntu. But it is really a violation of the WebDAV protocol so I expect upstreams will want to fix it. Exceirpt of traffic between cadaver and mod_dav_svn 1.8.8, see how some space and < and % characters are not escaped (but are in other contexts). I suppose it's not impossible that there be security implications as someone may be able to craft a harmful PROPFIND response (since <, > are not encoded) by adding crafted file names to the repository. PROPFIND /svn/ HTTP/1.1 User-Agent: cadaver/0.23.3 neon/0.29.1 Connection: TE TE: trailers Host: vm189-eth0.vmnet60 Depth: 1 Content-Length: 288 Content-Type: application/xml <?xml version="1.0" encoding="utf-8"?> <propfind xmlns="DAV:"><prop> <getcontentlength xmlns="DAV:"/> <getlastmodified xmlns="DAV:"/> <executable xmlns="http://apache.org/dav/props/"/> <resourcetype xmlns="DAV:"/> <checked-in xmlns="DAV:"/> <checked-out xmlns="DAV:"/> </prop></propfind> HTTP/1.1 207 Multi-Status Date: Wed, 26 Feb 2014 08:40:23 GMT Server: Apache/2.4.7 (Ubuntu) Content-Length: 2549 Content-Type: text/xml; charset="utf-8" <?xml version="1.0" encoding="utf-8"?> <D:multistatus xmlns:D="DAV:" xmlns:ns1="http://apache.org/dav/props/"; xmlns:ns0="DAV:"> <D:response xmlns:lp1="DAV:" xmlns:lp3="http://subversion.tigris.org/xmlns/dav/"; xmlns:g0="DAV:" xmlns:g1="http://apache.org/dav/props/";> <D:href>/svn/</D:href> <D:propstat> <D:prop> <lp1:getlastmodified>Tue, 25 Feb 2014 14:43:59 GMT</lp1:getlastmodified> <lp1:resourcetype><D:collection/></lp1:resourcetype> <lp1:checked-in><D:href>/svn/!svn/ver/5/</D:href></lp1:checked-in> </D:prop> <D:status>HTTP/1.1 200 OK</D:status> </D:propstat> <D:propstat> <D:prop> <g0:getcontentlength/> <g1:executable/> <g0:checked-out/> </D:prop> <D:status>HTTP/1.1 404 Not Found</D:status> </D:propstat> </D:response> <D:response xmlns:lp1="DAV:" xmlns:lp3="http://subversion.tigris.org/xmlns/dav/"; xmlns:g0="http://apache.org/dav/props/"; xmlns:g1="DAV:"> ⇨ <D:href>/svn/a>b</D:href> <D:propstat> <D:prop> <lp1:getcontentlength>10</lp1:getcontentlength> <lp1:getlastmodified>Tue, 25 Feb 2014 13:09:01 GMT</lp1:getlastmodified> <lp1:resourcetype/> <lp1:checked-in><D:href>/svn/!svn/ver/3/a%3Eb</D:href></lp1:checked-in> </D:prop> <D:status>HTTP/1.1 200 OK</D:status> </D:propstat> <D:propstat> <D:prop> <g0:executable/> <g1:checked-out/> </D:prop> <D:status>HTTP/1.1 404 Not Found</D:status> </D:propstat> </D:response> <D:response xmlns:lp1="DAV:" xmlns:lp3="http://subversion.tigris.org/xmlns/dav/"; xmlns:g0="DAV:" xmlns:g1="http://apache.org/dav/props/";> ⇨ <D:href>/svn/A B/</D:href> <D:propstat> <D:prop> <lp1:getlastmodified>Tue, 25 Feb 2014 12:46:53 GMT</lp1:getlastmodified> <lp1:resourcetype><D:collection/></lp1:resourcetype> <lp1:checked-in><D:href>/svn/!svn/ver/1/A%20B</D:href></lp1:checked-in> </D:prop> <D:status>HTTP/1.1 200 OK</D:status> </D:propstat> <D:propstat> <D:prop> <g0:getcontentlength/> <g1:executable/> <g0:checked-out/> </D:prop> <D:status>HTTP/1.1 404 Not Found</D:status> </D:propstat> </D:response> <D:response xmlns:lp1="DAV:" xmlns:lp3="http://subversion.tigris.org/xmlns/dav/"; xmlns:g0="http://apache.org/dav/props/"; xmlns:g1="DAV:"> ⇨ <D:href>/svn/%2F</D:href> <D:propstat> <D:prop> <lp1:getcontentlength>9</lp1:getcontentlength> <lp1:getlastmodified>Tue, 25 Feb 2014 14:43:59 GMT</lp1:getlastmodified> <lp1:resourcetype/> <lp1:checked-in><D:href>/svn/!svn/ver/5/%252F</D:href></lp1:checked-in> </D:prop> <D:status>HTTP/1.1 200 OK</D:status> </D:propstat> <D:propstat> <D:prop> <g0:executable/> <g1:checked-out/> </D:prop> <D:status>HTTP/1.1 404 Not Found</D:status> </D:propstat> </D:response> </D:multistatus> -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1284641 Title: problem with paths with spaces with 12.04 client with 14.04 server To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/subversion/+bug/1284641/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
