1#!/bin/sh 2# 3# Licensed to the Apache Software Foundation (ASF) under one 4# or more contributor license agreements. See the NOTICE file 5# distributed with this work for additional information 6# regarding copyright ownership. The ASF licenses this file 7# to you under the Apache License, Version 2.0 (the 8# "License"); you may not use this file except in compliance 9# with the License. You may obtain a copy of the License at 10# 11# http://www.apache.org/licenses/LICENSE-2.0 12# 13# Unless required by applicable law or agreed to in writing, 14# software distributed under the License is distributed on an 15# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY 16# KIND, either express or implied. See the License for the 17# specific language governing permissions and limitations 18# under the License. 19# 20# 21# $Id: reject-known-sha1-collisions.sh 1784763 2017-02-28 15:40:00Z stsp $ 22# 23# Prevents some SHA-1 collisions to be committed 24# Test for the 320 byte prefix found on https://shattered.io/ 25# If the files are committed in the same transaction, svnlook 26# will error out itself due to the apparent corruption in the 27# candidate revision 28 29REPOS="$1" 30TXN="$2" 31SVNLOOK=/usr/bin/svnlook 32GREP=/usr/bin/grep 33SED=/usr/bin/sed 34# GNU coreutils versions of these tools are required: 35SHA1SUM=/usr/bin/sha1sum 36HEAD=/usr/bin/head 37 38$SVNLOOK changed -t "$TXN" "$REPOS" 39if [ $? -ne 0 ]; then 40 echo "svnlook failed, possible SHA-1 collision" >&2 41 exit 2 42fi 43 44$SVNLOOK changed -t "$TXN" "$REPOS" | $GREP -Ev '^D ' | $SED -e 's/^. //' | $GREP -v '/$' | while IFS= read -r FILE; do 45 PREFIX=`$SVNLOOK cat -t "$TXN" "$REPOS" "$FILE" | $HEAD -c320 | $SHA1SUM | cut -c-40` 46 if [ x"$PREFIX" = x'f92d74e3874587aaf443d1db961d4e26dde13e9c' ]; then 47 echo "known SHA-1 collision rejected" >&2 48 exit 3 49 fi 50done 51