Feature #17164: file:/// repository insecure - Redmine

Actions

Copy link

Feature #17164

closed

file:/// repository insecure

Added by John Pham over 10 years ago. Updated about 10 years ago.

Status:

Closed

Priority:

Normal

Assignee:

Category:

SCM

Target version:

Start date:

Due date:

% Done:

Estimated time:

Resolution:

Duplicate

Description

Could there be a way to restrict file:/// URLs in repositories? If, SVN projects are accessible by the webserver (likely if using dav_svn) anyone with permissions to add a repository has unrestricted access to any repository on the webserver viewable by the server process, almost equivalent to filesystem access.

Related issues

Actions

Copy link

Updated by Go MAEDA over 10 years ago

Save the following code as 'config/initializers/99-restrect-svn-file-scheme.rb' and restart Redmine. You will be not able to set 'file:///.....'.

require_dependency 'repository/subversion.rb'

module RestrictSvnFileScheme

  def self.included(base)
    base.send(:include, WrapperMethods)

    base.class_eval do
      alias_method_chain :url=, :restrict_file_scheme
    end
  end

  module WrapperMethods
    def url_with_restrict_file_scheme=(v)
      write_attribute(:url, v) if v !~ %r|\Afile://|i
    end
  end
end

Repository::Subversion.send(:include, RestrictSvnFileScheme)

Actions

Copy link

Updated by John Pham over 10 years ago

I got the following error on 2.4.2 (ubuntu 14.04 package):

uninitialized constant Redmine::Scm::Adapters::AbstractAdapter::CommandFailed (NameError)
  /var/lib/redmine/default/passenger/lib/redmine/scm/adapters/abstract_adapter.rb:30:in `<class:AbstractAdapter>'
  /var/lib/redmine/default/passenger/lib/redmine/scm/adapters/abstract_adapter.rb:27:in `<module:Adapters>'
  /var/lib/redmine/default/passenger/lib/redmine/scm/adapters/abstract_adapter.rb:26:in `<module:Scm>'
  /var/lib/redmine/default/passenger/lib/redmine/scm/adapters/abstract_adapter.rb:25:in `<module:Redmine>'
  /var/lib/redmine/default/passenger/lib/redmine/scm/adapters/abstract_adapter.rb:24:in `<top (required)>'
  /var/lib/redmine/default/passenger/lib/redmine/scm/adapters/subversion_adapter.rb:18:in `<top (required)>'
  /var/lib/redmine/default/passenger/app/models/repository/subversion.rb:18:in `<top (required)>'
  /var/lib/redmine/default/passenger/config/initializers/99-restrict-svn-file-schema.rb:1:in `<top (required)>'
  /usr/lib/ruby/vendor_ruby/rails/engine.rb:593:in `block (2 levels) in <class:Engine>'
  /usr/lib/ruby/vendor_ruby/rails/engine.rb:592:in `each'
  /usr/lib/ruby/vendor_ruby/rails/engine.rb:592:in `block in <class:Engine>'
  /usr/lib/ruby/vendor_ruby/rails/initializable.rb:30:in `instance_exec'
  /usr/lib/ruby/vendor_ruby/rails/initializable.rb:30:in `run'
  /usr/lib/ruby/vendor_ruby/rails/initializable.rb:55:in `block in run_initializers'
  /usr/lib/ruby/vendor_ruby/rails/initializable.rb:54:in `each'
  /usr/lib/ruby/vendor_ruby/rails/initializable.rb:54:in `run_initializers'
  /usr/lib/ruby/vendor_ruby/rails/application.rb:136:in `initialize!'
  /usr/lib/ruby/vendor_ruby/rails/railtie/configurable.rb:30:in `method_missing'
  /var/lib/redmine/default/passenger/config/environment.rb:14:in `<top (required)>'
  config.ru:3:in `require'
  config.ru:3:in `block in <main>'
  /usr/lib/ruby/vendor_ruby/rack/builder.rb:51:in `instance_eval'
  /usr/lib/ruby/vendor_ruby/rack/builder.rb:51:in `initialize'
  config.ru:1:in `new'
  config.ru:1:in `<main>'
  /usr/share/passenger/helper-scripts/rack-preloader.rb:112:in `eval'
  /usr/share/passenger/helper-scripts/rack-preloader.rb:112:in `preload_app'
  /usr/share/passenger/helper-scripts/rack-preloader.rb:158:in `<module:App>'
  /usr/share/passenger/helper-scripts/rack-preloader.rb:29:in `<module:PhusionPassenger>'
  /usr/share/passenger/helper-scripts/rack-preloader.rb:28:in `<main>'

but adding

class CommandFailed < StandardError #:nodoc:
end

seems to fix it. Thanks!

Actions

Copy link

Updated by Go MAEDA about 10 years ago

Related to Defect #18291: Path property security issue when adding filesystem repository added

Actions

Copy link

Updated by Jean-Philippe Lang about 10 years ago

Status changed from New to Closed
Resolution set to Duplicate

Closing as a dup of #1415 which is addressed for 3.0 by adding configuration settings to limit valid repository path.

Actions

Copy link

Updated by Jean-Philippe Lang about 10 years ago

Related to deleted (Defect #18291: Path property security issue when adding filesystem repository)

Actions

Copy link

Updated by Jean-Philippe Lang about 10 years ago

Related to Feature #1415: Let system administrator limit repositories valid sources added

Actions

Copy link

Also available in: Atom PDF

Project

General

Profile

Redmine

Custom queries

Feature #17164

file:/// repository insecure

Updated by Go MAEDA over 10 years ago

Updated by John Pham over 10 years ago

Updated by Go MAEDA about 10 years ago

Updated by Jean-Philippe Lang about 10 years ago

Updated by Jean-Philippe Lang about 10 years ago

Updated by Jean-Philippe Lang about 10 years ago