ChrootServer/ChrootTransport not used by "bzr serve"

Bug #400535 reported by Andrew Bennetts on 2009-07-17
10
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Bazaar
Critical
Andrew Bennetts
Nominated for 1.16 by Andrew Bennetts

Bug Description

bzrlib/smart/server.py has a serve_bzr method which is used by "bzr serve". That method has these lines:

    chroot_server = ChrootServer(transport)
    chroot_server.setUp()
    t = get_transport(chroot_server.get_url())

But it then fails to use either chroot_server or t. Instead it runs the server with 'transport', which is generally a file:/// URL.

This may be the cause of bug 398199.

It certainly breaks some trivial uses of bzr serve. A server set up like this:

  $ mkdir /tmp/test-area
  $ cd /tmp/test-area
  $ bzr serve --allow-writes

Will not behave correctly:

  $ bzr --no-plugins init bzr://localhost/some-branch
bzr: ERROR: Server sent an unexpected error: ('error', "An attempt to access a url outside the server jail was made: 'file:///tmp/'.")
HPSS calls: 7 (2 vfs) <bzrlib.smart.medium.SmartTCPClientMedium object at 0x959fbec>

This should be fixed for 1.17.

Related branches

Andrew Bennetts (spiv) wrote :

I have a fix, tests still to come.

Changed in bzr:
assignee: nobody → Andrew Bennetts (spiv)
status: Confirmed → Fix Committed
Andrew Bennetts (spiv) wrote :

It appears that the combination of paranoia in SmartServerRequest.translate_client_path and the server-side jail for BzrDir.open protects us from accidentally allowing clients access to data outside the permitted directory. So this is merely a serious bug that breaks some legitimate functionality, rather than an exploitable security issue. So this bug doesn't need to remain private.

It's also possibly the cause of bug 398199.

description: updated
security vulnerability: yes → no
visibility: private → public
Jonathan Lange (jml) on 2009-07-20
Changed in bzr:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers