chiark / gitweb /
~ianmdlvl / fdroidserver.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: 654b3cb) | patch
SVN: only allow redirects to HTTPS
authorHans-Christoph Steiner <hans@eds.org>
Fri, 2 Mar 2018 09:21:55 +0000 (10:21 +0100)
committerHans-Christoph Steiner <hans@eds.org>
Mon, 5 Mar 2018 08:45:58 +0000 (09:45 +0100)
commit6cd8f2ffeaaf943a716dd9dee73eb5d3da6db754
tree415e007812262f0cbbcec3c521535cc9787a936ctree | snapshot
parent654b3cb9dc9b68c50c70c517430a282e3e0714b3commit | diff
SVN: only allow redirects to HTTPS

"SVN follows HTTP 301 redirects to svn+ssh:// URLs. As a result, an
innocent looking HTTP URL can be used to trigger a Command Execution with a
301 redirect."
https://blog.recurity-labs.com/2017-08-10/scm-vulns.html#third-round-svn-and-mercurial

I scanned fdroiddata and found no suspicious redirects.  Here's how:

grep -A1 '^Repo *Type: *git-svn' *.txt *.yml| sed -n 's,.*Repo:\(.*\),\1,p' > /tmp/urls.txt

import requests
with open('/tmp/urls.txt') as fp:
    for line in fp:
        try:
            r = requests.head(line.strip())
            print(r.status_code, line)
        except requests.exceptions.SSLError:
            print('SSLError', line)
fdroidserver/common.py diff | blob | history
Unnamed repository; edit this file 'description' to name the repository.