On Sun, 16 Oct 2005, Ingo Adler wrote:
> Ben Collins-Sussman wrote:
>
> >On 10/16/05, Ingo Adler <dev@synacon.ch> wrote:
...
> >>(2) No, it doesn't tell me which repository it's in. It tells me, where
> >>the repository files are placed on the server. But which server?
> >
> >I agree that this is a bug. The full path to the repositorty is a
> >minor security bug that we should fix. And I agree that it doesn't
> >help the user at all.
>
> This was the point. Thank you and good night.
This has come up repeatedly for numerous commands and APIs. The root cause
of this problem is that the potentially sensitive information is appropriate
for display by some callers, and thus must be propogated from the lowest
levels by the core libraries.
A while back, I attempted design of a solution which allowed error information
to be marked as possibly sensitive. We determined that application of such
an API was difficult at best, due to the fact that it is the caller's context
which actually determines what error information to display. For example,
a system administrator working with svn or svnadmin on the repository host
itself might very well want to see full paths to the repository, whereas
users of the same repository over ra_dav or ra_svn should not have these paths
exposed to them. The underlying core libraries which access the repository
must provide the local file system path when generating an error, but since
all binaries eventually use the same libraries, that sensitive path
information must be suppressed by some callers.
As of yet, we punt and leave it up to every caller to filter out possibly
sensitive information at the appropriate level. In many places, we are still
not yet doing this filtering of sensitive info.
- Dan
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Received on Thu Oct 20 23:29:18 2005