From: Ben Reser <ben@reser.org>
Subject: [PATCH] Disallow methods other than GET/HEAD for the parentpath list.
Date: Sat, 11 Jan 2014 07:19:54 +0000
References: bnc#862459 CVE-2014-0032 http://svn.apache.org/viewvc?view=revision&revision=r1557320
Upstream: committed

------------------------------------------------------------------------
r1557320 | breser | 2014-01-11 07:19:54 +0000 (Sat, 11 Jan 2014) | 13 lines
Changed paths:
   M /subversion/trunk/subversion/mod_dav_svn/repos.c

Disallow methods other than GET/HEAD for the parentpath list.

Fixes the segfault for `svn ls http://svn.example.com` when SVN is handling
the server root and SVNListParentPath is on.

CVE-2014-0032

* subversion/mod_dav_svn/repos.c
  (get_resource): Return an error when we try to get a parentpath list
    resource and the method isn't GET.

Found by: lgo

------------------------------------------------------------------------
---
 subversion/mod_dav_svn/repos.c |   19 +++++++++++++++++++
 1 file changed, 19 insertions(+)

Index: subversion-1.8.5/subversion/mod_dav_svn/repos.c
===================================================================
--- subversion-1.8.5.orig/subversion/mod_dav_svn/repos.c	2013-11-14 21:02:26.000000000 +0000
+++ subversion-1.8.5/subversion/mod_dav_svn/repos.c	2014-02-09 22:25:05.000000000 +0000
@@ -1971,6 +1971,25 @@ get_resource(request_rec *r,
      of private resource, iff the SVNListParentPath directive is 'on'. */
   if (dav_svn__is_parentpath_list(r))
     {
+      /* Only allow GET and HEAD on the parentpath resource
+       * httpd uses the same method_number for HEAD as GET */
+      if (r->method_number != M_GET)
+        {
+          int status;
+
+          /* Marshall the error back to the client by generating by
+           * way of the dav_svn__error_response_tag trick. */
+          err = dav_svn__new_error(r->pool, HTTP_METHOD_NOT_ALLOWED,
+                                   SVN_ERR_APMOD_MALFORMED_URI,
+                                   "The URI does not contain the name "
+                                   "of a repository.");
+          /* can't use r->allowed since the default handler isn't called */
+          apr_table_setn(r->headers_out, "Allow", "GET,HEAD");
+          status = dav_svn__error_response_tag(r, err);
+
+          return dav_push_error(r->pool, status, err->error_id, NULL, err);
+        }
+
       err = get_parentpath_resource(r, resource);
       if (err)
         return err;