[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: [PATCH]: mod_authz_svn returns HTTP 500 instead of HTTP 403

From: Jani Averbach <jaa_at_jaa.iki.fi>
Date: 2004-09-20 18:31:58 CEST

On 2004-09-20 07:49-0500, kfogel@collab.net wrote:
> Jani Averbach <jaa@jaa.iki.fi> writes:
> > Log:
> >
> > With combination mod_dav_svn + mod_authz_svn + SVNParentPath you get
> > '500 Internal Server Error', when mod_dav_svn's dav_svn_split_uri
> > originally returned '403 Forbidden'. This happens when you access the
> > root of SVNParentPath. Replay forward dav_svn_split_uri's return
> > value iff it won't clash with our access releated return codes.
>

> At first I thought the former, but on reading the patch, I now think
> the latter.

The latter, how things will be after change. At the moment you will
get 'Internal server error'.

>
> What exactly was the security issue?

The security related change is that 'req_check_access' will return OK
or DECLINED or some error code to upper caller 'access_checker' which
will decide by these return values if access is granted or not.
Before my modifications, this return code space was tightly controlled
by 'req_check_access'. But my modifications will broaden it to
include also dav_svn_split uri's return codes space. For this reason
we have to take extra step to check that we won't ever give access by
dav_svn_split in (erroneous) case when dav_svn_split returned error,
but error code was OK.

BR, Jani 

-- 
Jani Averbach
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Received on Mon Sep 20 18:32:32 2004

This is an archived mail posted to the Subversion Dev mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.