[kgb-maintainers] DoS bug in KGB

Martín Ferrari martin.ferrari at gmail.com
Sun Sep 20 18:33:35 UTC 2009 

Hi there,

today the 3 kgb bots died suddenly, and I started taking a look. The
origin was a commit by Raphael Hertzog that had some extended chars in
the commit log (it's seems we're so boring as to never use them :)).

It was a two-fold problem: on the server side, it received utf8 wide
chars that passed to the sha1 module for authentication, and that
failed. I added the correct conversion code for that to work.

In the client side, it stopped being able to authenticate, because the
strings were handled differently. SVN gives utf-8 encoded *byte
sequences*, so perl treats them as legacy-encoded or something like
that :)
I added the code that tries to automatically detect if the strings are
legacy or utf and then convert them to proper utf8 *char* sequences
and uses those for SOAP (so it can faithfully transmit them). Then
decodes them for sha1 generation.

This triggered another bug. SOAP::Lite had an ugly hack to decode utf8
(instead of using utf8::decode) that doesn't seem to work. I left a
modified copy of one file in the alioth tree so the post-commit hook
uses it. I need to see if this is still present in current SOAP:Lite
versions, but I don't have any environment to test this outside of
alioth right now.

I commited all this to trunk/, and tried to commit to branches/stable.
But I really don't understand how it is supposed to work. Dam, you
might be able to help here.
In the repo, brances/stable/debian/changelog says version 0.04
released. But the tree is identical to tags/0.03... So I really don't
get it :)
Also, the checked out tree in alioth for use in post-commit has
gazillions of non-commited merges, so I didn't want to touch anything
there, except for the fix for the post-commit.

So, in /home/groups/kgb/stable/lib/App/KGB/Client there's an
uncommited fix for the client that's equivalent to the one in trunk
The server fix is commited to branches/stable, but I don't know which
tag to touch or what to do.
The debian/changelog in stable is untouched.

-- 
Martín Ferrari

More information about the kgb-maintainers mailing list