Jani Averbach <jaa@jaa.iki.fi> writes:
> Log:
>
> With combination mod_dav_svn + mod_authz_svn + SVNParentPath you get
> '500 Internal Server Error', when mod_dav_svn's dav_svn_split_uri
> originally returned '403 Forbidden'. This happens when you access the
> root of SVNParentPath. Replay forward dav_svn_split_uri's return
> value iff it won't clash with our access releated return codes.
The log message is a little unclear on what's changing. Is the first
sentence describing the way things are currently, or the way things
will be after this change? At first I thought the former, but on
reading the patch, I now think the latter.
What exactly was the security issue? Is it that someone could
differentiate between the URL that is the parent of all repositories
and the URLs that are inside repositories, and then they could (maybe)
use that to guess at other repository names underneath the root or
something?
I don't have any problems with the patch, I'm just trying to
understand it better.
Thanks,
-Karl
> * subversion/mod_authz_svn/mod_authz_svn.c
> (req_check_access): if dav_svn_split_uri's error code didn't clash with
> our access related values, replay it forward.
>
> Index: subversion/mod_authz_svn/mod_authz_svn.c
> ===================================================================
> --- subversion/mod_authz_svn/mod_authz_svn.c (revision 11042)
> +++ subversion/mod_authz_svn/mod_authz_svn.c (working copy)
> @@ -366,7 +366,9 @@
> ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
> "%s [%d, #%d]",
> dav_err->desc, dav_err->status, dav_err->error_id);
> - return HTTP_INTERNAL_SERVER_ERROR;
> + /* Ensure that we never allow access by dav_err->status */
> + return (dav_err->status != OK && dav_err->status != DECLINED) ?
> + dav_err->status : HTTP_INTERNAL_SERVER_ERROR;
> }
>
> /* Ignore the URI passed to MERGE, like mod_dav_svn does.
> @@ -417,7 +419,9 @@
> ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
> "%s [%d, #%d]",
> dav_err->desc, dav_err->status, dav_err->error_id);
> - return HTTP_INTERNAL_SERVER_ERROR;
> + /* Ensure that we never allow access by dav_err->status */
> + return (dav_err->status != OK && dav_err->status != DECLINED) ?
> + dav_err->status : HTTP_INTERNAL_SERVER_ERROR;
> }
>
> if (dest_repos_path)
>
> --
> Jani Averbach
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
> For additional commands, e-mail: dev-help@subversion.tigris.org
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Received on Mon Sep 20 16:33:43 2004