Posted by Bruno Luiz on Jun 11

Subversion HTTP servers allow spoofing svn:author property values
for new revisions.

Summary:
========

Subversion’s mod_dav_svn server allows setting arbitrary svn:author
property values when committing new revisions. This can be accomplished
using a specially crafted sequence of requests. An evil-doer can fake
svn:author values on his commits. However, as authorization rules are
applied to the evil-doer’s true…