astieger (earlier version)


Review
r1804691

r1804691 | danielsh | 2017-08-10 18:14:13 +0000 (Thu, 10 Aug 2017)

Fix CVE-2017-9800.

See: https://subversion.apache.org/security/CVE-2017-0800-advisory.txt

* subversion/libsvn_ra_svn/client.c
  (svn_ctype.h): Include.
  (find_tunnel_agent): Pass a "--" end-of-options guard to ssh.
    Expect the 'hostinfo' parameter to be URI-decoded.
  (is_valid_hostinfo): New.
  (ra_svn_open): Validate the hostname before using it.

* subversion/libsvn_subr/config_file.c
  (svn_config_ensure): Update the example configuration likewise.

Patch by: philip
Review by: danielsh
           stsp
           astieger (earlier version)