[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: svn co ignores subfolders with restricted access

From: Freek Dijkstra <public_at_macfreek.nl>
Date: 2007-07-10 23:50:10 CEST

Lakshman, Matt,

Thanks for your reply. It encoureaged me to look further.
.htaccess hass nothing to do with it. It turns out to be a bug in the
design of subversion. Basically, subversion checkout ALWAYS tries to
download the root folder without authentication, then gets a result,
including a statement that one of the subfolders is unreadable (as
anonymous), and never tries to fetch it with the given credentials.

This is plain and simple a bug in subversion.

So, where can I submit bug reports?

I just replicated the bug on a repository with HTTP instead of HTTPS, so
 I could monitor the raw HTTP traffic.

Summary:
For webdav based repositories, subversion checkout ignores restricted
subfolders in a repository if the root folder is anonymously accessible.
Even if proper authentication is given.

Steps to reproduce:
1. Set up Apache with SVN and webdav. I simply took a fresh Debian
   install with the libapache2-svn packages (and relevant dependencies).
2. Set up a new repository with anonymously accessible root, and
   restricted subfolder. E.g., with this configuration:
   ---- httpd.conf: ---------------------------------------------
   ServerName www.example.com
   <Location /svn>
     DAV svn
     SVNParentPath /var/data/svn
     AuthType Basic
     AuthName "Subversion Repository"
     AuthUserFile /etc/apache2/dav_svn.passwd
     order allow,deny
     allow from all
     Require valid-user
     Satisfy Any
     AuthzSVNAccessFile /etc/apache2/dav_svn.acl
   </Location>
   ----------------------------------------------------------------
   ---- dav_svn.acl: --------------------------------------------
   [myrepos:/]
   auser = rw
   * = r

   [myrepos:/restrictedsubfolder]
   auser = rw
   * =
   ----------------------------------------------------------------
3. Do a checkout as user "auser":
   svn checkout --user auser --password secret \
     http://www.example.com/svn/myrepos

Expected result:
I expect that the whole myrepos repository would be checkout out,
including the restrictedsubfolder, as that is readable by auser.

Actual result:
All of the repository is checked out as anonymous, and the
restrictedsubfolder is completely ignored.

Regression:
The commands and provided username/password are correct. In fact, here
is an excerpt form the Apache log file:
Anonymous checkout of root folder: OK (HTTP 207 result):
  192.0.2.34 - - "PROPFIND /svn/myrepos HTTP/1.1" 207
     665 "-" "SVN/1.4.0 (r21228) neon/0.25.5"
Anonymous checkout of restrictedsubfolder: Disallowed (HTTP 401 result):
  192.0.2.34 - - "PROPFIND /svn/myrepos HTTP/1.1" 401
     560 "-" "SVN/1.4.0 (r21228) neon/0.25.5"
Authenticated checkout of root folder: OK (HTTP 207 result):
  192.0.2.34 - auser - "PROPFIND /svn/myrepos HTTP/1.1" 207
     665 "-" "SVN/1.4.0 (r21228) neon/0.25.5"
Authenticated checkout of restrictedsubfolder OK (HTTP 207 result):
  192.0.2.34 - auser - "PROPFIND /svn/myrepos HTTP/1.1" 207
     665 "-" "SVN/1.4.0 (r21228) neon/0.25.5"

In fact, I even further analysed the raw HTTP
data. This is what happens for a restricted access root folder, if you
provide authentication:
* the subversion client access the HTTP page without authentication
* the server responds with a 401 result (Need authentication)
* the subversion client retries with authentication
* the server responds with a 207 result (OK)
* The repository metadata and a list of files is downloaded

Now, this is what happens for a publically accessible root folder, if
you provide authentications:
* the subversion client access the HTTP page without authentication
* the server responds with a 207 result (OK)
* The repository metadata and a partial list of files is downloaded

The list of downloaded file is PARTIAL, because it contains this data
(excerpt of the full XML transcript):
  <S:absent-directory name="restrictedsubfolder"/>
  <S:add-directory name="publicsubfolder"
    bc-url="/svn/myrepos/!svn/bc/7/publicsubfolder">
  <D:checked-in><D:href>
    /svn/myrepos/!svn/ver/7/publicsubfolder
  </D:href></D:checked-in>

So the restricted access subfolder is marked as "absent-directory". That
is true in this context, as the subversion client never provided
authentication. However, it means that the client will also never
attempt to download the data, despite that proper authentication was
given on the command line!

Regards,
Freek Dijkstra

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Received on Tue Jul 10 23:49:48 2007

This is an archived mail posted to the Subversion Users mailing list.