Re: Authz inconsistency in svn_repos_get_logs()

From: Vlad Georgescu <vgeorgescu_at_gmail.com>
Date: 2007-10-16 23:05:32 CEST

Vlad Georgescu wrote:
> While working on issue #2712, I noticed that if you run 'svn log' on the
> root of a repository, svn_repos_get_logs4() won't check the authz rules,
> but if you run 'svn log' on a path below the root or on multiple paths,
> the checks will be made and you'll get an error if you don't have
> permission to read that path.

By the way, this isn't a security problem, because we do
another round of authz checks later (in libsvn_repos/log.c:
detect_changed()) to determine what information to send back, so the
user never sees stuff he isn't supposed to.

The checks I'm talking about are in get_path_histories() and will simply
deny you access completely. The inconsistency is that we don't make
that check for the root of the repository, because it is handled by
svn_repos_get_logs() directly.

-- 
Vlad
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org

Received on Tue Oct 16 23:09:50 2007

This message: [ Message body ]
Next message: Blair Zajac: "svn_opt_parse_path peg revision inconsistency"
Previous message: Miller, Eric: "[Issue 2972] - Error processing command 'set-timestamp'"
In reply to: Vlad Georgescu: "Authz inconsistency in svn_repos_get_logs()"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]