r1804691 | danielsh | 2017-08-10 18:14:13 +0000 (Thu, 10 Aug 2017)
Fix CVE-2017-9800.
See: https://subversion.apache.org/security/CVE-2017-0800-advisory.txt
* subversion/libsvn_ra_svn/client.c
(svn_ctype.h): Include.
(find_tunnel_agent): Pass a "--" end-of-options guard to ssh.
Expect the 'hostinfo' parameter to be URI-decoded.
(is_valid_hostinfo): New.
(ra_svn_open): Validate the hostname before using it.
* subversion/libsvn_subr/config_file.c
(svn_config_ensure): Update the example configuration likewise.
Patch by: philip
Review by: danielsh
stsp
astieger (earlier version)