Hi,
hereby attached is my patch for issue 2486. Referring to previous
discussions concerning this issue:
http://svn.haxx.se/dev/archive-2006-03/0003.shtml and
http://svn.haxx.se/dev/archive-2006-01/0704.shtml
This patch contains these changes:
- libsvn_repos/commit.c: removed unneeded checks for read-access in
open_root and open_directory;
- tests/cmdline/authz-tests.py: new tests for this issue, test on open_root
and open_directory.
- repos-test.c: removed now obsolete white-box test
To avoid introducing functional or security issues, I did following tests:
- ran repos-test. I had to remove part of a test that calls open_directory
on a folder with no read-access expecting an error there. That isn't working
anymore, so I removed that part of the test(!).
- tested the error-messages returned when trying to access both denied (*= )
and not-existing folders to check for path-existance leaks. My tests:
repo structure /A/B/E where B is '*='.
Tested 'svn ls svn://localhost/repos/A/B/E' -> svn: Authorization failed
Tested 'svn ls svn://localhost/repos/A/B/XYZ' -> svn: Authorization failed
Tested 'svn mkdir svn://localhost/repos/A/B/E/q' -> svn: Access denied
Tested 'svn mkdir svn://localhost/repos/A/B/E/XYZ/q' -> svn: Access denied
- added the new Python authz-tests.py as a reproduction of the issue. When
run, the tests will:
* be skipped for localhost,
* succeed for http ( I tested that as well ) and
* for svnserve they succeed when the patch is applied and fail without.
These are the situations I tested but I'm sure this patch should be
thoroughly reviewed on the security part.
This issue was reported a lot on the users list since the release of svn
1.3, so I consider it important to have a fix in 1.3.1.
regards,
Lieven.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Received on Wed Mar 1 22:35:48 2006