Uploaded image for project: 'Subversion'
  1. Subversion
  2. SVN-1710

The auth provider next/save functions need the realmstring

    XMLWordPrintableJSON

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Critical
    • Resolution: Fixed
    • Affects Version/s: all
    • Fix Version/s: 1.0-consider
    • Component/s: libsvn_subr
    • Labels:
      None

      Description

      An API change is required to support HTTPS for any code other then
      the default svn client. Until fixed this is likely to prevent rapidsvn,
      pysvn, TortoiseSVN etc from supporting HTTPS: URL's.
      
      Here is Tobias Ringstrom analysis --------------------------------
      
      Interesting. Yes, this is a horrible (and quite old) misuse of the provider
      baton. I can see two ways to fix this: We can either add the realmstring to all
      credential structs, or we can add a realmstring to the next and save providers
      functions. The cred_kind/realmstring pair is the key when you search for
      credentials, so it makes a lot of sense to go for the second alternative, i.e.
      to add a realmstring parameter to the next and save functions.
      
      My original mail ------------------------------------------------
      
      I'm testing SSL callbacks for the pysvn python extension and I'm seeing a
      reproducible crash with 0.36.0.
      
      Pysvn uses the svncpp library from rapidsvn patched to support 0.36.0.
      
      I don't know if its the svncpp code or the svn code that is in
      error here. Can an SSL auth export comment on where a fix needs
      to be made please?
      
      The crash occurs in svn_config_write_auth_data that is passed the
      realmstring as NULL from ssl_server_trust_file_save_credentials
      (ssl_server_providers.c).
      
      This is because pb->realmstring is NULL in
      ssl_server_trust_file_save_credential.
      
      With the subversion client pb->realmstring will be setup by the code in
      ssl_server_trust_file_first_credentials.
      
      But the svncpp code has its own provider that implements the
      first_credentials callback but not the save_credentials callback.
      
      The code in svn_auth_save_credentials (libsvn_subr/auth.c) is designed
      to hunt for a save_creditials callback. It loops over the providers,
      and ends up calling ssl_server_trust_file_save_credentials has no
      way of being given the realmstring and a crash occurs.
      
      0.35.1 did not crash, it also did not save credential at all. I'm
      guess that bug was fixed and exposed this new one.
      
      The svncpp code that handles this is in src\svncpp\context.cpp in
      the rapidsvn repository. I've applied this patch against the latest
      version to support 0.36.0.
      

      Original issue reported by barryscott

        Attachments

        1. 1_auth-realmstring.diff
          16 kB
          Subversion Importer

          Activity

            People

            • Assignee:
              Unassigned
              Reporter:
              subversion-importer Subversion Importer
            • Votes:
              0 Vote for this issue
              Watchers:
              0 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: