cve-2011-1783, cve-2011-1921: Add some sanity checking to make sure
authz requests always begin with '/'. This prevents a couple of
failure modes in authz checking. From upstream 1.6.17.
--- a/subversion/mod_dav_svn/authz.c
+++ b/subversion/mod_dav_svn/authz.c
@@ -46,6 +46,11 @@ dav_svn__allow_read(request_rec *r,
return TRUE;
}
+ /* Sometimes we get paths that do not start with '/' and
+ hence below uri concatenation would lead to wrong uris .*/
+ if (path && path[0] != '/')
+ path = apr_pstrcat(pool, "/", path, NULL);
+
/* If bypass is specified and authz has exported the provider.
Otherwise, we fall through to the full version. This should be
safer than allowing or disallowing all accesses if there is a
--- a/subversion/libsvn_repos/authz.c
+++ b/subversion/libsvn_repos/authz.c
@@ -746,6 +746,9 @@ svn_repos_authz_check_access(svn_authz_t *authz, c
return SVN_NO_ERROR;
}
+ /* Sanity check. */
+ SVN_ERR_ASSERT(path[0] == '/');
+
/* Determine the granted access for the requested path. */
while (!authz_get_path_access(authz->cfg, repos_name,
current_path, user,
![[patchlogo]](http://patch-tracker.debian.org/static/img/swirlpatch.png)