Comment 2 for bug 1284641

There's a problem with any DAV client, it's not only old svn client. So I'll raise the issue upstreams.

I had raised it here because in the past, similar reports to upstreams were answered with "then upgrade your client to fix the problem", while here it's a real concern for ubuntu.

But it is really a violation of the WebDAV protocol so I expect upstreams will want to fix it.

Exceirpt of traffic between cadaver and mod_dav_svn 1.8.8, see how some space and < and % characters are not escaped (but are in other contexts).

I suppose it's not impossible that there be security implications as someone may be able to craft a harmful PROPFIND response (since <, > are not encoded) by adding crafted file names to the repository.

  PROPFIND /svn/ HTTP/1.1
  User-Agent: cadaver/0.23.3 neon/0.29.1
  Connection: TE
  TE: trailers
  Host: vm189-eth0.vmnet60
  Depth: 1
  Content-Length: 288
  Content-Type: application/xml

  <?xml version="1.0" encoding="utf-8"?>
  <propfind xmlns="DAV:"><prop>
  <getcontentlength xmlns="DAV:"/>
  <getlastmodified xmlns="DAV:"/>
  <executable xmlns="http://apache.org/dav/props/"/>
  <resourcetype xmlns="DAV:"/>
  <checked-in xmlns="DAV:"/>
  <checked-out xmlns="DAV:"/>
  </prop></propfind>

  HTTP/1.1 207 Multi-Status
  Date: Wed, 26 Feb 2014 08:40:23 GMT
  Server: Apache/2.4.7 (Ubuntu)
  Content-Length: 2549
  Content-Type: text/xml; charset="utf-8"

  <?xml version="1.0" encoding="utf-8"?>
  <D:multistatus xmlns:D="DAV:" xmlns:ns1="http://apache.org/dav/props/" xmlns:ns0="DAV:">
  <D:response xmlns:lp1="DAV:" xmlns:lp3="http://subversion.tigris.org/xmlns/dav/" xmlns:g0="DAV:" xmlns:g1="http://apache.org/dav/props/">
  <D:href>/svn/</D:href>
  <D:propstat>
  <D:prop>
  <lp1:getlastmodified>Tue, 25 Feb 2014 14:43:59 GMT</lp1:getlastmodified>
  <lp1:resourcetype><D:collection/></lp1:resourcetype>
  <lp1:checked-in><D:href>/svn/!svn/ver/5/</D:href></lp1:checked-in>
  </D:prop>
  <D:status>HTTP/1.1 200 OK</D:status>
  </D:propstat>
  <D:propstat>
  <D:prop>
  <g0:getcontentlength/>
  <g1:executable/>
  <g0:checked-out/>
  </D:prop>
  <D:status>HTTP/1.1 404 Not Found</D:status>
  </D:propstat>
  </D:response>
  <D:response xmlns:lp1="DAV:" xmlns:lp3="http://subversion.tigris.org/xmlns/dav/" xmlns:g0="http://apache.org/dav/props/" xmlns:g1="DAV:">
⇨ <D:href>/svn/a>b</D:href>
  <D:propstat>
  <D:prop>
  <lp1:getcontentlength>10</lp1:getcontentlength>
  <lp1:getlastmodified>Tue, 25 Feb 2014 13:09:01 GMT</lp1:getlastmodified>
  <lp1:resourcetype/>
  <lp1:checked-in><D:href>/svn/!svn/ver/3/a%3Eb</D:href></lp1:checked-in>
  </D:prop>
  <D:status>HTTP/1.1 200 OK</D:status>
  </D:propstat>
  <D:propstat>
  <D:prop>
  <g0:executable/>
  <g1:checked-out/>
  </D:prop>
  <D:status>HTTP/1.1 404 Not Found</D:status>
  </D:propstat>
  </D:response>
  <D:response xmlns:lp1="DAV:" xmlns:lp3="http://subversion.tigris.org/xmlns/dav/" xmlns:g0="DAV:" xmlns:g1="http://apache.org/dav/props/">
⇨ <D:href>/svn/A B/</D:href>
  <D:propstat>
  <D:prop>
  <lp1:getlastmodified>Tue, 25 Feb 2014 12:46:53 GMT</lp1:getlastmodified>
  <lp1:resourcetype><D:collection/></lp1:resourcetype>
  <lp1:checked-in><D:href>/svn/!svn/ver/1/A%20B</D:href></lp1:checked-in>
  </D:prop>
  <D:status>HTTP/1.1 200 OK</D:status>
  </D:propstat>
  <D:propstat>
  <D:prop>
  <g0:getcontentlength/>
  <g1:executable/>
  <g0:checked-out/>
  </D:prop>
  <D:status>HTTP/1.1 404 Not Found</D:status>
  </D:propstat>
  </D:response>
  <D:response xmlns:lp1="DAV:" xmlns:lp3="http://subversion.tigris.org/xmlns/dav/" xmlns:g0="http://apache.org/dav/props/" xmlns:g1="DAV:">
⇨ <D:href>/svn/%2F</D:href>
  <D:propstat>
  <D:prop>
  <lp1:getcontentlength>9</lp1:getcontentlength>
  <lp1:getlastmodified>Tue, 25 Feb 2014 14:43:59 GMT</lp1:getlastmodified>
  <lp1:resourcetype/>
  <lp1:checked-in><D:href>/svn/!svn/ver/5/%252F</D:href></lp1:checked-in>
  </D:prop>
  <D:status>HTTP/1.1 200 OK</D:status>
  </D:propstat>
  <D:propstat>
  <D:prop>
  <g0:executable/>
  <g1:checked-out/>
  </D:prop>
  <D:status>HTTP/1.1 404 Not Found</D:status>
  </D:propstat>
  </D:response>
  </D:multistatus>