Feature #17164
closed
file:/// repository insecure
Added by John Pham about 10 years ago.
Updated almost 10 years ago.
Description
Could there be a way to restrict file:/// URLs in repositories? If, SVN projects are accessible by the webserver (likely if using dav_svn) anyone with permissions to add a repository has unrestricted access to any repository on the webserver viewable by the server process, almost equivalent to filesystem access.
Save the following code as 'config/initializers/99-restrect-svn-file-scheme.rb' and restart Redmine. You will be not able to set 'file:///.....'.
require_dependency 'repository/subversion.rb'
module RestrictSvnFileScheme
def self.included(base)
base.send(:include, WrapperMethods)
base.class_eval do
alias_method_chain :url=, :restrict_file_scheme
end
end
module WrapperMethods
def url_with_restrict_file_scheme=(v)
write_attribute(:url, v) if v !~ %r|\Afile://|i
end
end
end
Repository::Subversion.send(:include, RestrictSvnFileScheme)
I got the following error on 2.4.2 (ubuntu 14.04 package):
uninitialized constant Redmine::Scm::Adapters::AbstractAdapter::CommandFailed (NameError)
/var/lib/redmine/default/passenger/lib/redmine/scm/adapters/abstract_adapter.rb:30:in `<class:AbstractAdapter>'
/var/lib/redmine/default/passenger/lib/redmine/scm/adapters/abstract_adapter.rb:27:in `<module:Adapters>'
/var/lib/redmine/default/passenger/lib/redmine/scm/adapters/abstract_adapter.rb:26:in `<module:Scm>'
/var/lib/redmine/default/passenger/lib/redmine/scm/adapters/abstract_adapter.rb:25:in `<module:Redmine>'
/var/lib/redmine/default/passenger/lib/redmine/scm/adapters/abstract_adapter.rb:24:in `<top (required)>'
/var/lib/redmine/default/passenger/lib/redmine/scm/adapters/subversion_adapter.rb:18:in `<top (required)>'
/var/lib/redmine/default/passenger/app/models/repository/subversion.rb:18:in `<top (required)>'
/var/lib/redmine/default/passenger/config/initializers/99-restrict-svn-file-schema.rb:1:in `<top (required)>'
/usr/lib/ruby/vendor_ruby/rails/engine.rb:593:in `block (2 levels) in <class:Engine>'
/usr/lib/ruby/vendor_ruby/rails/engine.rb:592:in `each'
/usr/lib/ruby/vendor_ruby/rails/engine.rb:592:in `block in <class:Engine>'
/usr/lib/ruby/vendor_ruby/rails/initializable.rb:30:in `instance_exec'
/usr/lib/ruby/vendor_ruby/rails/initializable.rb:30:in `run'
/usr/lib/ruby/vendor_ruby/rails/initializable.rb:55:in `block in run_initializers'
/usr/lib/ruby/vendor_ruby/rails/initializable.rb:54:in `each'
/usr/lib/ruby/vendor_ruby/rails/initializable.rb:54:in `run_initializers'
/usr/lib/ruby/vendor_ruby/rails/application.rb:136:in `initialize!'
/usr/lib/ruby/vendor_ruby/rails/railtie/configurable.rb:30:in `method_missing'
/var/lib/redmine/default/passenger/config/environment.rb:14:in `<top (required)>'
config.ru:3:in `require'
config.ru:3:in `block in <main>'
/usr/lib/ruby/vendor_ruby/rack/builder.rb:51:in `instance_eval'
/usr/lib/ruby/vendor_ruby/rack/builder.rb:51:in `initialize'
config.ru:1:in `new'
config.ru:1:in `<main>'
/usr/share/passenger/helper-scripts/rack-preloader.rb:112:in `eval'
/usr/share/passenger/helper-scripts/rack-preloader.rb:112:in `preload_app'
/usr/share/passenger/helper-scripts/rack-preloader.rb:158:in `<module:App>'
/usr/share/passenger/helper-scripts/rack-preloader.rb:29:in `<module:PhusionPassenger>'
/usr/share/passenger/helper-scripts/rack-preloader.rb:28:in `<main>'
but adding
class CommandFailed < StandardError #:nodoc:
end
seems to fix it. Thanks!
- Related to Defect #18291: Path property security issue when adding filesystem repository added
- Status changed from New to Closed
- Resolution set to Duplicate
Closing as a dup of #1415 which is addressed for 3.0 by adding configuration settings to limit valid repository path.
- Related to deleted (Defect #18291: Path property security issue when adding filesystem repository)
- Related to Feature #1415: Let system administrator limit repositories valid sources added
Also available in: Atom
PDF