--- mod_authz_svn.c.orig 2004-09-29 11:35:44.000000000 +0200 +++ mod_authz_svn.c 2004-09-29 13:53:35.000000000 +0200 @@ -108,19 +108,29 @@ */ static int group_contains_user(svn_config_t *cfg, - const char *group, const char *user, apr_pool_t *pool) + const char *group, const char *user, apr_pool_t *pool, int level) { const char *value; apr_array_header_t *list; int i; + /* Guard against excessive recursion. */ + if (level > 10) { + return 0; + } + svn_config_get(cfg, &value, "groups", group, ""); list = svn_cstring_split(value, ",", TRUE, pool); for (i = 0; i < list->nelts; i++) { const char *group_user = APR_ARRAY_IDX(list, i, char *); - if (!strcmp(user, group_user)) + + if (*group_user == '@') { + if (group_contains_user(cfg, &group_user[1], user, pool, level + 1)) + return 1; + } else if (!strcmp(user, group_user)) { return 1; + } } return 0; @@ -137,7 +147,7 @@ } if (*name == '@') { - if (!group_contains_user(b->config, &name[1], b->user, b->pool)) + if (!group_contains_user(b->config, &name[1], b->user, b->pool, 0)) return TRUE; } else if (strcmp(name, b->user)) {