Uploaded image for project: 'Subversion'
  1. Subversion
  2. SVN-1710

The auth provider next/save functions need the realmstring

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Closed
    • Critical
    • Resolution: Fixed
    • all
    • 1.0-consider
    • libsvn_subr
    • None

    Description

      An API change is required to support HTTPS for any code other then
the default svn client. Until fixed this is likely to prevent rapidsvn,
pysvn, TortoiseSVN etc from supporting HTTPS: URL's.

Here is Tobias Ringstrom analysis --------------------------------

Interesting. Yes, this is a horrible (and quite old) misuse of the provider
baton. I can see two ways to fix this: We can either add the realmstring to all
credential structs, or we can add a realmstring to the next and save providers
functions. The cred_kind/realmstring pair is the key when you search for
credentials, so it makes a lot of sense to go for the second alternative, i.e.
to add a realmstring parameter to the next and save functions.

My original mail ------------------------------------------------

I'm testing SSL callbacks for the pysvn python extension and I'm seeing a
reproducible crash with 0.36.0.

Pysvn uses the svncpp library from rapidsvn patched to support 0.36.0.

I don't know if its the svncpp code or the svn code that is in
error here. Can an SSL auth export comment on where a fix needs
to be made please?

The crash occurs in svn_config_write_auth_data that is passed the
realmstring as NULL from ssl_server_trust_file_save_credentials
(ssl_server_providers.c).

This is because pb->realmstring is NULL in
ssl_server_trust_file_save_credential.

With the subversion client pb->realmstring will be setup by the code in
ssl_server_trust_file_first_credentials.

But the svncpp code has its own provider that implements the
first_credentials callback but not the save_credentials callback.

The code in svn_auth_save_credentials (libsvn_subr/auth.c) is designed
to hunt for a save_creditials callback. It loops over the providers,
and ends up calling ssl_server_trust_file_save_credentials has no
way of being given the realmstring and a crash occurs.

0.35.1 did not crash, it also did not save credential at all. I'm
guess that bug was fixed and exposed this new one.

The svncpp code that handles this is in src\svncpp\context.cpp in
the rapidsvn repository. I've applied this patch against the latest
version to support 0.36.0.

      Original issue reported by barryscott

      Attachments

        1. 1_auth-realmstring.diff
          16 kB
          Subversion Importer

        Activity

          People

            Unassigned Unassigned
            subversion-importer Subversion Importer
            Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: