6.0.0-beta4
▾
Tasks
New Task
Search
Photos
Wiki
▾
Tickets
New Ticket
Search
dev.horde.org
Toggle Alerts Log
Help
3/13/26
History
Attachments
Comment
Watch
Download
Comment on [#5051] SVN integration is not robust and has poor error reporting
*
Your Email Address
*
Spam protection
Enter the letters below:
.___.__ .__ .__ . . [__ [__)[ __[__)|_/ | | [_./[__)| \
Comment
> Judging from posts on the mailing lists, it is common that a user > installs Chora and configures it to use SVN but the content of the > repositories are not shown, yet there are no error messages and no > messages in the logs and there does not seem to be an apparent > misconfiguration. > > > > The attached patch tries to improve this situation by making the > following changes: > > > > (1) > > > > In VC::getPath(), the path of the SVN (or any other) binary is only > returned if php determines it is executable. This was introduced > without explanation in log message or comment in version 1.7: > > > > http://cvs.horde.org/diff.php?r1=1.6&r2=1.7&f=framework%2FVC%2FVC.php > > > > This is wrong for two reasons: > > > > First, when a PHP basedir restriction to the htdocs/ directory is > active (common on many webservers), PHP's built-in function > "is_executable" cannot access files in, say, /usr/bin although it can > execute this file. Infact, the only way to see if the file can be > executed is to try to execute it. Thus, the use of "is_executable" > here forces the user to extend the basedir restriction to /usr/bin, > which is a bad idea from a security point of view. > > > > Second, the error return value "false" is never checked within > "svn.php" and therefore wrong commands will be executed. E.g. when > the main module list of the SVN repository is supposed to be shown, > Chora will build a string of the form "/usr/bin/svn ls > /path/to/repository". If "/usr/bin/svn" is not found, "ls > /path/to/repository" will be executed instead. This will succeed (=> > no error message), but the returned output will not match the > expected output (=> modules list will be empty). Thus, the user has > no chance to find out what is wrong than to debug the code. > > > > Therefore the patch restores the code which was present in rev 1.6 of > VC.php. This will always try to execute the SVN binary. If the SVN > binary is not found, a sensible error message will be shown. > > > > (2) > > > > A common configuration on web servers (e.g. the default configuration > on SUSE 9.x) is that the apache process runs as root but the web > pages are handled by the "wwwroot" user which has low privileges. > Since the apache process is started as root, its HOME dir will point > to "/root". In this case, svn, when started by the "wwwroot" user > will look for the presence of "/root/.svn" and fail because it > obviously is denied access. This behaviour can be prevented by > explicitely setting the "--config-dir" directive to a directory the > current user has access to (say, something like "/tmp"). The attached > patch automates this behaviour. > >
Attachment
Watch this ticket
New Ticket
My Tickets
Search
Query Builder
Reports
Saved Queries
Open Bugs
Bugs waiting for Feedback
Open Bugs in Releases
Open Enhancements
Enhancements waiting for Feedback
Bugs with Patches
Enhancements with Patches
Release Showstoppers
Stalled Tickets
New Tickets
Horde 5 Showstoppers