mod_dav_svn 1.8.1 assertion triggered by non-canonical URLs

  mod_dav_svn assertion triggered by non-canonical URLs in autoversioning
  commits.

Summary:
========

  When SVNAutoversioning is enabled via

    SVNAutoversioning on

  commits can be made by single HTTP requests such as MKCOL and
  PUT.  If Subversion is built with assertions enabled any such
  requests that have non-canonical URLs, such as URLs with a
  trailing /, may trigger an assert.  An assert will cause the
  Apache process to abort.

Known vulnerable:
=================

  mod_dav_svn 1.7.11 through 1.7.13
  mod_dav_svn 1.8.1 through 1.8.4

Known fixed:
============

  mod_dav_svn 1.7.14
  mod_dav_svn 1.8.5

Details:
========

  Given a repository located at http://example.com/repos the assert can
  be triggered by commands like:

    curl -X PUT http://example.com/repos/A/
    curl -X MKCOL http://example.com/repos/A/../B

  The assert happens after the commit has happened in the repository
  and will not occur if the commit is rejected.

Severity:
=========

  CVSSv2 Base Score: 3.5
  CVSSv2 Base Vector: AV:N/AC:M/Au:S/C:N/I:N/A:P

  We consider this to be a low risk vulnerability.

  The attacker needs to have commit access to the repository to
  exploit the vulnerability.

  Most Subversion servers do not have autoversioning enabled. 

  In order for there to be any impact assertions must have been enabled when
  mod_dav_svn was built.  In this case if assertions are disabled there is no
  impact.  They are enabled by default on *nix and disabled on Windows.

  The assertion will cause the http server process to abort.  Apache httpd
  servers using a prefork MPM will simply start a new process to replace
  the process that died.  Servers using threaded MPMs may be processing other
  requests in the same process as the process that the attack causes to die.
  In either case there is an increased processing impact of restarting a
  process and the cost of per process caches being lost.

Recommendations:
================

  We recommend all users upgrade mod_dav_svn to Subversion 1.8.5 or 1.7.14 or
  newer.

  Disabling SVNAutoversioning will avoid the problem.

  Building Subversion with assertions disabled will avoid the problem.
  This can be done using the --disable-debug option to configure on *nix and
  by using a Release build profile on Windows.

References:
===========

  CVE-2013-4558 (Subversion)

Reported by:
============

  Philip Martin, WANdisco

Patches:
========

Patch for Subversion 1.7.x and 1.8.x:
[[[
Index: subversion/mod_dav_svn/repos.c
===================================================================
--- subversion/mod_dav_svn/repos.c	(revision 1539596)
+++ subversion/mod_dav_svn/repos.c	(working copy)
@@ -2456,9 +2456,12 @@ get_parent_resource(const dav_resource *resource,
       parent->info = parentinfo;
 
       parentinfo->uri_path =
-        svn_stringbuf_create(get_parent_path(resource->info->uri_path->data,
-                                             TRUE, resource->pool),
-                             resource->pool);
+        svn_stringbuf_create(
+               get_parent_path(
+                   svn_urlpath__canonicalize(resource->info->uri_path->data,
+                                            resource->pool),
+                   TRUE, resource->pool),
+               resource->pool);
       parentinfo->repos = resource->info->repos;
       parentinfo->root = resource->info->root;
       parentinfo->r = resource->info->r;
]]]