Bug #26159 for SVN-Web: Disclosure of local paths

Sun Apr 08 09:59:57 2007 haarg [...] haarg.org - Ticket created

Subject:

Disclosure of local paths

With the latest versions of SVN::Web that use SVN::Client, local repository paths are displayed on the repository list. This is both useless to a user and disclosure of private data. I have written a patch to SVN::Web::List and the list template that allows you to either hide local repository URLs, all URLs, or show a different URL publicly than is used internally.

Subject:

url_aliasing.patch

Index: lib/SVN/Web/List.pm =================================================================== --- lib/SVN/Web/List.pm (revision 1300) +++ lib/SVN/Web/List.pm (working copy) @@ -23,6 +23,7 @@ class: SVN::Web::List opts: redirect_to_browse_when_one_repo: 0 # or 1 + public_repos_uri: hide_local ... =head1 DESCRIPTION @@ -44,6 +45,15 @@ Defaults to 0. +=item public_repos_uri + +Can be 'hide_local', which will hide the URL for any file:// repositories, +'hide_all', which will hide all repositories, or a hash. The hash should be +keyed by the repository name, and the values should be either a URL display, or +a false value to hide the URL. + +The default is to show all repository URLs. + =back =head1 TEMPLATE VARIABLES @@ -84,6 +94,27 @@ return; } + my $public_repos = $self->{opts}{public_repos_uri}; + if (lc $public_repos eq 'hide_all') { + for my $rep (values %repos) { + undef $rep; + } + } + elsif (lc $public_repos eq 'hide_local') { + for my $rep (values %repos) { + if ($rep =~ m{file://}) { + undef $rep; + } + } + } + elsif (ref $public_repos eq 'HASH') { + for my $repname (keys %repos) { + if (exists $public_repos->{$repname}) { + $repos{$repname} = $public_repos->{$repname}; + } + } + } + return { template => 'list', data => { Index: lib/SVN/Web/Template/trac/list =================================================================== --- lib/SVN/Web/Template/trac/list (revision 1300) +++ lib/SVN/Web/Template/trac/list (working copy) @@ -6,7 +6,7 @@ <ul> [% FOREACH r = repos %] - <li><a href="[% c.script %]/[% r.key %]">[% r.key %]</a> <span class="reponame">→ [% r.value %]</span></li> + <li><a href="[% c.script %]/[% r.key %]">[% r.key %]</a>[% IF r.value %] <span class="reponame">→ [% r.value %]</span>[% END %]</li> [% END %] </ul> [% ELSE %]

Fri May 25 07:51:06 2012 dean [...] fragfest.com.au - Correspondence added

On Sun Apr 08 09:59:57 2007, haarg wrote: Show quoted text

> With the latest versions of SVN::Web that use SVN::Client, local > repository paths are displayed on the repository list. This is both > useless to a user and disclosure of private data. > > I have written a patch to SVN::Web::List and the list template that > allows you to either hide local repository URLs, all URLs, or show a > different URL publicly than is used internally.

merged for next release, see https://github.com/djzort/SVN-Web

Fri May 25 07:51:07 2012 The RT System itself - Status changed from 'new' to 'open'

Fri May 25 07:51:08 2012 dean [...] fragfest.com.au - Status changed from 'open' to 'patched'

Fri May 25 07:53:47 2012 dean [...] fragfest.com.au - Correspondence added

On Fri May 25 07:51:06 2012, djzort wrote: Show quoted text

> On Sun Apr 08 09:59:57 2007, haarg wrote:

> > With the latest versions of SVN::Web that use SVN::Client, local > > repository paths are displayed on the repository list. This is both > > useless to a user and disclosure of private data. > > > > I have written a patch to SVN::Web::List and the list template that > > allows you to either hide local repository URLs, all URLs, or show a > > different URL publicly than is used internally.

> > merged for next release, see https://github.com/djzort/SVN-Web

Fri May 25 07:53:48 2012 The RT System itself - Status changed from 'patched' to 'open'

Fri May 25 07:53:48 2012 dean [...] fragfest.com.au - Status changed from 'open' to 'resolved'