[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: Suppress display of sensitive info by servers (proposal)

From: Mark Benedetto King <mbk_at_lowlatency.com>
Date: 2005-04-13 14:36:15 CEST

On Wed, Apr 13, 2005 at 08:45:19AM +0200, Molle Bestefich wrote:
> Daniel Rall wrote:
> > Requirements of any solution:
> >
> > o Low-level libraries should continue to propogate all contextual
> > information available (including security-sensitive info). For
> > example, httpd error logs should contain file system paths to the
> > repository, as should error messages from file:// operations.
> >
> > o Secure versions of error messages must still contain relevant
> > security-insensitive information (e.g. "Reference to non-existent
> > revision 3209683", even though the path is omitted).
> Wouldn't it become more cumbersome to report error messages to
> anybody, e.g. your sysadmin, if the context is missing?
> (I'm thinking that that's actually more important than fixing some
> imaginary security problem..)

The security problem is not imaginary. Information leakage issues aside,
path disclosure can be used in conjunction with, for example, contents
disclosure vulnerabilities (of which there have been several in Apache).

> Could the path from the URL perhaps be included instead of the filesystem path?
> Or the repository UUID?
> Haven't looked at the code, so might be a stupid suggestion :-p.

The approach currently taken in mod_dav_svn is to log the full text of
the error to Apache's logs, and the sanitized error to the user.

If the user reports this error to the administrator, it should be a small
matter for the administrator to find the corresponding error in Apache's


To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Received on Wed Apr 13 14:37:39 2005

This is an archived mail posted to the Subversion Dev mailing list.