[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

[PATCH] issue 2486: Svnserve 1.3 authz: writing on subfolder requires read access on repository root (was [Issue 2486] Svnserve 1.3 authz: guidance requested)

From: Lieven Govaerts <lgo_at_mobsol.be>
Date: 2006-03-01 22:31:53 CET

Hi,

hereby attached is my patch for issue 2486. Referring to previous
discussions concerning this issue:
http://svn.haxx.se/dev/archive-2006-03/0003.shtml and
http://svn.haxx.se/dev/archive-2006-01/0704.shtml

This patch contains these changes:
- libsvn_repos/commit.c: removed unneeded checks for read-access in
open_root and open_directory;
- tests/cmdline/authz-tests.py: new tests for this issue, test on open_root
and open_directory.
- repos-test.c: removed now obsolete white-box test

To avoid introducing functional or security issues, I did following tests:

- ran repos-test. I had to remove part of a test that calls open_directory
on a folder with no read-access expecting an error there. That isn't working
anymore, so I removed that part of the test(!).

- tested the error-messages returned when trying to access both denied (*= )
and not-existing folders to check for path-existance leaks. My tests:
  repo structure /A/B/E where B is '*='.
  Tested 'svn ls svn://localhost/repos/A/B/E' -> svn: Authorization failed
  Tested 'svn ls svn://localhost/repos/A/B/XYZ' -> svn: Authorization failed
  Tested 'svn mkdir svn://localhost/repos/A/B/E/q' -> svn: Access denied
  Tested 'svn mkdir svn://localhost/repos/A/B/E/XYZ/q' -> svn: Access denied

- added the new Python authz-tests.py as a reproduction of the issue. When
run, the tests will:
     * be skipped for localhost,
     * succeed for http ( I tested that as well ) and
     * for svnserve they succeed when the patch is applied and fail without.

These are the situations I tested but I'm sure this patch should be
thoroughly reviewed on the security part.

This issue was reported a lot on the users list since the release of svn
1.3, so I consider it important to have a fix in 1.3.1.

regards,

Lieven.

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org

Received on Wed Mar 1 22:35:48 2006

This is an archived mail posted to the Subversion Dev mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.