[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: "SVNAuthorizationShortCircuit or something similar"

From: Justin Erenkrantz <justin_at_erenkrantz.com>
Date: 2007-04-03 22:12:44 CEST

On 4/3/07, David James <james@cs.toronto.edu> wrote:
> Is that configuration really secure? It doesn't look like you handle
> all the details. What about baseline URIs, or baseline collection
> URIs, or even public URIs?

mod_authz_svn doesn't handle host-based authorization at all. I'm
just pointing out one facet of the authorization scheme that can't be
handled by us - and can be broken by a native authz scheme in that
httpd handles it far better than Subversion would.

> I believe that Subversion currently assumes that, if apache says "yes"
> to a URI, then it is safe for the user to access said URI. For
> example, if a user asks for
> http://svn.collab.net/repos/svn/!svn/bc/1100/trunk/IDEAS, and Apache
> says yes, then Subversion assumes that it is OK to send that file to
> the user. So you need to handle all of the cases in your LocationMatch
> directives.

You can combine mod_authz_svn with the LocationMatch.

> Currently, the Subversion "special uris" have been described as an
> "undocumented implementation detail and is liable to change at any
> time". See http://svn.haxx.se/dev/archive-2004-10/0510.shtml .

Frankly, that's a cheap cop-out. We haven't changed it and we're
likely not to change it in the forseeable future.

> Some users have tried to setup LocationMatch directives, but they know
> well that is not 100% secure and that the details about Subversion's
> special URIs may change in the future. See the following post, for
> example, in which the user setup an insecure LocationMatch directive
> instead of setting up mod_authz_svn:
> http://svn.haxx.se/users/archive-2007-04/0035.shtml .
> Given this, do you still think it is "dangerous" for Subversion to
> authorize requests on a per-request basis, instead of on a
> pathrev-pair basis?

Yes, it is dangerous.

Once again (because I think you're missing my point entirely), I'm not
against such dangerous optimizations as it can help folks - but I *am*
strongly advocating that we not name this feature so it sounds like an
innocent feature that an admin can tweak without understanding what it
is really doing.

"native" doesn't sound like something that is dangerous - IMO, "short
circuit" does. Call it "dangerous" or
"i-have-read-the-documentation-about-native-auth" or something - but
just don't make it sound like this is a good idea to enable blindly if
something's not working right. -- justin

To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Received on Tue Apr 3 22:12:57 2007

This is an archived mail posted to the Subversion Dev mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.