# ./pullrev.sh 1692801 1694012

https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2015-3187

http://svn.apache.org/viewvc?view=revision&revision=1692801

- excluding changes from CVE-2015-3184

diff -uap subversion-1.7.14/subversion/libsvn_repos/rev_hunt.c.cve3187 subversion-1.7.14/subversion/libsvn_repos/rev_hunt.c

--- subversion-1.7.14/subversion/libsvn_repos/rev_hunt.c.cve3187

+++ subversion-1.7.14/subversion/libsvn_repos/rev_hunt.c

@@ -721,23 +721,6 @@ svn_repos_trace_node_locations(svn_fs_t

       if (! prev_path)

         break;

-      if (authz_read_func)

-        {

-          svn_boolean_t readable;

-          svn_fs_root_t *tmp_root;

-

-          SVN_ERR(svn_fs_revision_root(&tmp_root, fs, revision, currpool));

-          SVN_ERR(authz_read_func(&readable, tmp_root, path,

-                                  authz_read_baton, currpool));

-          if (! readable)

-            {

-              svn_pool_destroy(lastpool);

-              svn_pool_destroy(currpool);

-

-              return SVN_NO_ERROR;

-            }

-        }

-

       /* Assign the current path to all younger revisions until we reach

          the copy target rev. */

       while ((revision_ptr < revision_ptr_end)

@@ -760,6 +743,20 @@ svn_repos_trace_node_locations(svn_fs_t

       path = prev_path;

       revision = prev_rev;

+      if (authz_read_func)

+        {

+          svn_boolean_t readable;

+          SVN_ERR(svn_fs_revision_root(&root, fs, revision, currpool));

+          SVN_ERR(authz_read_func(&readable, root, path,

+                                  authz_read_baton, currpool));

+          if (!readable)

+            {

+              svn_pool_destroy(lastpool);

+              svn_pool_destroy(currpool);

+              return SVN_NO_ERROR;

+            }

+        }

+

       /* Clear last pool and switch. */

       svn_pool_clear(lastpool);

       tmppool = lastpool;

diff -uap subversion-1.7.14/subversion/tests/cmdline/authz_tests.py.cve3187 subversion-1.7.14/subversion/tests/cmdline/authz_tests.py

--- subversion-1.7.14/subversion/tests/cmdline/authz_tests.py.cve3187

+++ subversion-1.7.14/subversion/tests/cmdline/authz_tests.py

@@ -608,8 +608,10 @@ def authz_log_and_tracing_test(sbox):

   ## cat

+  expected_err2 = ".*svn: E195012: Unable to find repository location.*"

+

   # now see if we can look at the older version of rho

-  svntest.actions.run_and_verify_svn(None, None, expected_err,

+  svntest.actions.run_and_verify_svn(None, None, expected_err2,

                                      'cat', '-r', '2', D_url+'/rho')

   if sbox.repo_url.startswith('http'):

@@ -626,10 +628,11 @@ def authz_log_and_tracing_test(sbox):

   svntest.actions.run_and_verify_svn(None, None, expected_err,

                                      'diff', '-r', 'HEAD', G_url+'/rho')

-  svntest.actions.run_and_verify_svn(None, None, expected_err,

+  # diff treats the unreadable path as indicating an add so no error

+  svntest.actions.run_and_verify_svn(None, None, [],

                                      'diff', '-r', '2', D_url+'/rho')

-  svntest.actions.run_and_verify_svn(None, None, expected_err,

+  svntest.actions.run_and_verify_svn(None, None, [],

                                      'diff', '-r', '2:4', D_url+'/rho')

 # test whether read access is correctly granted and denied

diff -uap subversion-1.7.14/subversion/tests/libsvn_repos/repos-test.c.cve3187 subversion-1.7.14/subversion/tests/libsvn_repos/repos-test.c

--- subversion-1.7.14/subversion/tests/libsvn_repos/repos-test.c.cve3187

+++ subversion-1.7.14/subversion/tests/libsvn_repos/repos-test.c

@@ -2526,6 +2526,246 @@ issue_4060(const svn_test_opts_t *opts,

   return SVN_NO_ERROR;

 }

+static svn_error_t *

+mkdir_delete_copy(svn_repos_t *repos,

+                  const char *src,

+                  const char *dst,

+                  apr_pool_t *pool)

+{

+  svn_fs_t *fs = svn_repos_fs(repos);

+  svn_revnum_t youngest_rev;

+  svn_fs_txn_t *txn;

+  svn_fs_root_t *txn_root, *rev_root;

+

+  SVN_ERR(svn_fs_youngest_rev(&youngest_rev, fs, pool));

+  

+  SVN_ERR(svn_fs_begin_txn(&txn, fs, youngest_rev, pool));

+  SVN_ERR(svn_fs_txn_root(&txn_root, txn, pool));

+  SVN_ERR(svn_fs_make_dir(txn_root, "A/T", pool));

+  SVN_ERR(svn_repos_fs_commit_txn(NULL, repos, &youngest_rev, txn, pool));

+

+  SVN_ERR(svn_fs_begin_txn(&txn, fs, youngest_rev, pool));

+  SVN_ERR(svn_fs_txn_root(&txn_root, txn, pool));

+  SVN_ERR(svn_fs_delete(txn_root, "A/T", pool));

+  SVN_ERR(svn_repos_fs_commit_txn(NULL, repos, &youngest_rev, txn, pool));

+

+  SVN_ERR(svn_fs_begin_txn(&txn, fs, youngest_rev, pool));

+  SVN_ERR(svn_fs_txn_root(&txn_root, txn, pool));

+  SVN_ERR(svn_fs_revision_root(&rev_root, fs, youngest_rev - 1, pool));

+  SVN_ERR(svn_fs_copy(rev_root, src, txn_root, dst, pool));

+  SVN_ERR(svn_repos_fs_commit_txn(NULL, repos, &youngest_rev, txn, pool));

+

+  return SVN_NO_ERROR;

+}

+

+struct authz_read_baton_t {

+  apr_hash_t *paths;

+  apr_pool_t *pool;

+  const char *deny;

+};

+

+static svn_error_t *

+authz_read_func(svn_boolean_t *allowed,

+                svn_fs_root_t *root,

+                const char *path,

+                void *baton,

+                apr_pool_t *pool)

+{

+  struct authz_read_baton_t *b = baton;

+

+  if (b->deny && !strcmp(b->deny, path))

+    *allowed = FALSE;

+  else

+    *allowed = TRUE;

+

+  apr_hash_set(b->paths, apr_pstrdup(b->pool, path), APR_HASH_KEY_STRING,

+               (void*)1);

+

+  return SVN_NO_ERROR;

+}

+

+static svn_error_t *

+verify_locations(apr_hash_t *actual,

+                 apr_hash_t *expected,

+                 apr_hash_t *checked,

+                 apr_pool_t *pool)

+{

+  apr_hash_index_t *hi;

+

+  for (hi = apr_hash_first(pool, expected); hi; hi = apr_hash_next(hi))

+    {

+      const svn_revnum_t *rev = svn__apr_hash_index_key(hi);

+      const char *path = apr_hash_get(actual, rev, sizeof(svn_revnum_t));

+

+      if (!path)

+        return svn_error_createf(SVN_ERR_TEST_FAILED, NULL,

+                                 "expected %s for %d found (null)",

+                                 (char*)svn__apr_hash_index_val(hi),

+                                 (int)*rev);

+      else if (strcmp(path, svn__apr_hash_index_val(hi)))

+        return svn_error_createf(SVN_ERR_TEST_FAILED, NULL,

+                                 "expected %s for %d found %s",

+                                 (char*)svn__apr_hash_index_val(hi),

+                                 (int)*rev, path);

+

+    }

+

+  for (hi = apr_hash_first(pool, actual); hi; hi = apr_hash_next(hi))

+    {

+      const svn_revnum_t *rev = svn__apr_hash_index_key(hi);

+      const char *path = apr_hash_get(expected, rev, sizeof(svn_revnum_t));

+

+      if (!path)

+        return svn_error_createf(SVN_ERR_TEST_FAILED, NULL,

+                                 "found %s for %d expected (null)",

+                                 (char*)svn__apr_hash_index_val(hi),

+                                 (int)*rev);

+      else if (strcmp(path, svn__apr_hash_index_val(hi)))

+        return svn_error_createf(SVN_ERR_TEST_FAILED, NULL,

+                                 "found %s for %d expected %s",

+                                 (char*)svn__apr_hash_index_val(hi),

+                                 (int)*rev, path);

+

+      if (!apr_hash_get(checked, path, APR_HASH_KEY_STRING))

+        return svn_error_createf(SVN_ERR_TEST_FAILED, NULL,

+                                 "did not check %s", path);

+    }

+

+  return SVN_NO_ERROR;

+}

+

+static void

+set_expected(apr_hash_t *expected,

+             svn_revnum_t rev,

+             const char *path,

+             apr_pool_t *pool)

+{

+  svn_revnum_t *rp = apr_palloc(pool, sizeof(svn_revnum_t));

+  *rp = rev;

+  apr_hash_set(expected, rp, sizeof(svn_revnum_t), path);

+}

+

+static svn_error_t *

+trace_node_locations_authz(const svn_test_opts_t *opts,

+                           apr_pool_t *pool)

+{

+  svn_repos_t *repos;

+  svn_fs_t *fs;

+  svn_revnum_t youngest_rev = 0;

+  svn_fs_txn_t *txn;

+  svn_fs_root_t *txn_root;

+  struct authz_read_baton_t arb;

+  apr_array_header_t *revs = apr_array_make(pool, 10, sizeof(svn_revnum_t));

+  apr_hash_t *locations;

+  apr_hash_t *expected = apr_hash_make(pool);

+  int i;

+

+  /* Create test repository. */

+  SVN_ERR(svn_test__create_repos(&repos, "test-repo-trace-node-locations-authz",

+                                 opts, pool));

+  fs = svn_repos_fs(repos);

+

+  /* r1 create A */

+  SVN_ERR(svn_fs_begin_txn(&txn, fs, youngest_rev, pool));

+  SVN_ERR(svn_fs_txn_root(&txn_root, txn, pool));

+  SVN_ERR(svn_fs_make_dir(txn_root, "A", pool));

+  SVN_ERR(svn_fs_make_file(txn_root, "A/f", pool));

+  SVN_ERR(svn_test__set_file_contents(txn_root, "A/f", "foobar", pool));

+  SVN_ERR(svn_repos_fs_commit_txn(NULL, repos, &youngest_rev, txn, pool));

+

+  /* r4 copy A to B */

+  SVN_ERR(mkdir_delete_copy(repos, "A", "B", pool));

+

+  /* r7 copy B to C */

+  SVN_ERR(mkdir_delete_copy(repos, "B", "C", pool));

+

+  /* r10 copy C to D */

+  SVN_ERR(mkdir_delete_copy(repos, "C", "D", pool));

+

+  SVN_ERR(svn_fs_youngest_rev(&youngest_rev, fs, pool));

+  SVN_ERR_ASSERT(youngest_rev == 10);

+

+  arb.paths = apr_hash_make(pool);

+  arb.pool = pool;

+  arb.deny = NULL;

+

+  apr_array_clear(revs);

+  for (i = 0; i <= youngest_rev; ++i)

+    APR_ARRAY_PUSH(revs, svn_revnum_t) = i;

+  set_expected(expected, 10, "/D/f", pool);

+  set_expected(expected, 8, "/C/f", pool);

+  set_expected(expected, 7, "/C/f", pool);

+  set_expected(expected, 5, "/B/f", pool);

+  set_expected(expected, 4, "/B/f", pool);

+  set_expected(expected, 2, "/A/f", pool);

+  set_expected(expected, 1, "/A/f", pool);

+  apr_hash_clear(arb.paths);

+  SVN_ERR(svn_repos_trace_node_locations(fs, &locations, "D/f", 10, revs,

+                                         authz_read_func, &arb, pool));

+  SVN_ERR(verify_locations(locations, expected, arb.paths, pool));

+

+  apr_array_clear(revs);

+  for (i = 1; i <= youngest_rev; ++i)

+    APR_ARRAY_PUSH(revs, svn_revnum_t) = i;

+  apr_hash_clear(arb.paths);

+  SVN_ERR(svn_repos_trace_node_locations(fs, &locations, "D/f", 10, revs,

+                                         authz_read_func, &arb, pool));

+  SVN_ERR(verify_locations(locations, expected, arb.paths, pool));

+

+  apr_array_clear(revs);

+  for (i = 2; i <= youngest_rev; ++i)

+    APR_ARRAY_PUSH(revs, svn_revnum_t) = i;

+  set_expected(expected, 1, NULL, pool);

+  apr_hash_clear(arb.paths);

+  SVN_ERR(svn_repos_trace_node_locations(fs, &locations, "D/f", 10, revs,

+                                         authz_read_func, &arb, pool));

+  SVN_ERR(verify_locations(locations, expected, arb.paths, pool));

+

+  apr_array_clear(revs);

+  for (i = 3; i <= youngest_rev; ++i)

+    APR_ARRAY_PUSH(revs, svn_revnum_t) = i;

+  set_expected(expected, 2, NULL, pool);

+  apr_hash_clear(arb.paths);

+  SVN_ERR(svn_repos_trace_node_locations(fs, &locations, "D/f", 10, revs,

+                                         authz_read_func, &arb, pool));

+  SVN_ERR(verify_locations(locations, expected, arb.paths, pool));

+

+  apr_array_clear(revs);

+  for (i = 6; i <= youngest_rev; ++i)

+    APR_ARRAY_PUSH(revs, svn_revnum_t) = i;

+  set_expected(expected, 5, NULL, pool);

+  set_expected(expected, 4, NULL, pool);

+  apr_hash_clear(arb.paths);

+  SVN_ERR(svn_repos_trace_node_locations(fs, &locations, "D/f", 10, revs,

+                                         authz_read_func, &arb, pool));

+  SVN_ERR(verify_locations(locations, expected, arb.paths, pool));

+

+  arb.deny = "/B/f";

+  apr_array_clear(revs);

+  for (i = 0; i <= youngest_rev; ++i)

+    APR_ARRAY_PUSH(revs, svn_revnum_t) = i;

+  apr_hash_clear(arb.paths);

+  SVN_ERR(svn_repos_trace_node_locations(fs, &locations, "D/f", 10, revs,

+                                         authz_read_func, &arb, pool));

+  SVN_ERR(verify_locations(locations, expected, arb.paths, pool));

+

+  apr_array_clear(revs);

+  for (i = 6; i <= youngest_rev; ++i)

+    APR_ARRAY_PUSH(revs, svn_revnum_t) = i;

+  apr_hash_clear(arb.paths);

+  SVN_ERR(svn_repos_trace_node_locations(fs, &locations, "D/f", 10, revs,

+                                         authz_read_func, &arb, pool));

+  SVN_ERR(verify_locations(locations, expected, arb.paths, pool));

+

+  APR_ARRAY_PUSH(revs, svn_revnum_t) = 0;

+  apr_hash_clear(arb.paths);

+  SVN_ERR(svn_repos_trace_node_locations(fs, &locations, "D/f", 10, revs,

+                                         authz_read_func, &arb, pool));

+  SVN_ERR(verify_locations(locations, expected, arb.paths, pool));

+

+  return SVN_NO_ERROR;

+}

+

 /* The test table.  */

@@ -2562,5 +2802,7 @@ struct svn_test_descriptor_t test_funcs[

                        "test svn_repos_get_file_revsN"),

     SVN_TEST_OPTS_PASS(issue_4060,

                        "test issue 4060"),

+    SVN_TEST_OPTS_PASS(trace_node_locations_authz,

+                       "authz for svn_repos_trace_node_locations"),

     SVN_TEST_NULL

   };