[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: "SVNAuthorizationShortCircuit or something similar"

From: David James <james_at_cs.toronto.edu>
Date: 2007-04-16 22:00:24 CEST

On 4/3/07, Justin Erenkrantz <justin@erenkrantz.com> wrote:
> > Some users have tried to setup LocationMatch directives, but they know
> > well that is not 100% secure and that the details about Subversion's
> > special URIs may change in the future. See the following post, for
> > example, in which the user setup an insecure LocationMatch directive
> > instead of setting up mod_authz_svn:
> > http://svn.haxx.se/users/archive-2007-04/0035.shtml .
> >
> > Given this, do you still think it is "dangerous" for Subversion to
> > authorize requests on a per-request basis, instead of on a
> > pathrev-pair basis?
>
> Yes, it is dangerous.
>
> Once again (because I think you're missing my point entirely), I'm not
> against such dangerous optimizations as it can help folks - but I *am*
> strongly advocating that we not name this feature so it sounds like an
> innocent feature that an admin can tweak without understanding what it
> is really doing.

Okay, let's see if I understand now: You're saying that it's dangerous
for us to change the way that Subversion processes special URIs
because there are users who depend on their behaviour in LocationMatch
directives.

To demonstrate your point, could you give a working and secure example
of such a LocationMatch directive? Your existing LocationMatch rule
doesn't work because it doesn't block baseline-collection URIs.

You could, as you say, add mod_authz_svn into the mix, and teach
mod_authz_svn to block the baseline collection URIs, but, if you do
that, you will have to teach mod_authz_svn to block all the same URLs
that your LocationMatch is blocking. In that case, the LocationMatch
directive is redundant and serves no purpose.

You also pointed out that "mod_authz_svn doesn't handle host-based
authorization at all." Are you implying that the new short circuit
authz option might break Apache's host-based authorization? If so,
how?

I do agree with you that there are some users who might be affected by
the special URI change. CollabNet, for example, wrote a custom authz
module, which will need to be updated if they want to support
short-circuit authentication.

Does this fact itself make the authz change dangerous? I don't think
so -- I think that any users who wrote custom authz modules will
understand that, if they switch Subversion to use short-circuit
authentication, that they will also need to update their custom authz
module to also support this feature.

Cheers,

David

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Received on Mon Apr 16 22:00:38 2007

This is an archived mail posted to the Subversion Dev mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.