[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: Suppress display of sensitive info by servers (proposal)

From: Molle Bestefich <molle.bestefich_at_gmail.com>
Date: 2005-04-13 14:47:11 CEST

>> Could the path from the URL perhaps be included instead of the
filesystem path?
>> Or the repository UUID?
>>
>> Haven't looked at the code, so might be a stupid suggestion :-p.
>
> The approach currently taken in mod_dav_svn is to log the full text of
> the error to Apache's logs, and the sanitized error to the user.

Correction:
The current approach (when using Apache) is to tell the user garbage.
(There are support questions about this over on tsvn-devel on a weekly basis.)

> If the user reports this error to the administrator, it should be a small
> matter for the administrator to find the corresponding error in Apache's
> logs.

Argumentation a bit flawed.. How does the administrator find the
relevant Apache error log?
(S)he doesn't know which Apache server the user is talking about,
since that information is not in the (new) error message.. It's not
in the old either, but the path gives a kind of hint.

Anyway, this is not an important discussion by any length, since
well-behaving users should report the context in which they're seeing
any error. Just thought I'd mention that if it was easy to implement
and you're hacking on it anyway, the context would be nice to include
automatically in the error message (in a non-security-breaching way).

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Received on Wed Apr 13 14:48:00 2005

This is an archived mail posted to the Subversion Dev mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.