=== subversion/libsvn_repos/authz.c
==================================================================
--- subversion/libsvn_repos/authz.c	(revision 148126)
+++ subversion/libsvn_repos/authz.c	(local)
@@ -279,12 +279,14 @@
 {
   struct authz_lookup_baton *b = baton;
   svn_boolean_t conclusive;
+  const char *section_name_canonical 
+    = svn_path_canonicalize(section_name, pool);
 
   /* Does the section apply to us? */
   if (svn_path_is_ancestor(b->qualified_repos_path,
-                           section_name) == FALSE
+                           section_name_canonical) == FALSE
       && svn_path_is_ancestor(b->repos_path,
-                              section_name) == FALSE)
+                              section_name_canonical) == FALSE)
     return TRUE;
 
   /* Work out what this section grants. */
@@ -305,7 +307,28 @@
   return b->access;
 }
 
+/** Callback to parse a section and update the authz baton if the
+ *  section is exactly the one specified by BATON->repos_path (not a
+ *  child).  Implements the svn_config_section_enumerator2_t
+ *  interface.
+ */
+static svn_boolean_t
+authz_parse_exact_section(const char *section_name, void *baton,
+                          apr_pool_t *pool)
+{
+  struct authz_lookup_baton *b = baton;
+  const char *section_name_canonical
+    = svn_path_canonicalize(section_name, pool);
 
+  /* Is this section the one we're looking for? */
+  if (strcmp(section_name_canonical, b->repos_path) != 0)
+    return TRUE;
+
+  svn_config_enumerate2(b->config, section_name,
+                        authz_parse_line, b, pool);
+  return TRUE;
+}
+
 /* Validate access to the given user for the given path.  This
  * function checks rules for exactly the given path, and first tries
  * to access a section specific to the given repository before falling
@@ -330,8 +353,9 @@
 
   /* Try to locate a repository-specific block first. */
   qualified_path = apr_pstrcat(pool, repos_name, ":", path, NULL);
-  svn_config_enumerate2(cfg, qualified_path,
-                        authz_parse_line, &baton, pool);
+  baton.repos_path = qualified_path;
+  svn_config_enumerate_sections2(cfg, authz_parse_exact_section,
+                                 &baton, pool);
 
   *access_granted = authz_access_is_granted(baton.allow, baton.deny,
                                             required_access);
@@ -342,7 +366,9 @@
     return TRUE;
 
   /* No repository specific rule, try pan-repository rules. */
-  svn_config_enumerate2(cfg, path, authz_parse_line, &baton, pool);
+  baton.repos_path = path;
+  svn_config_enumerate_sections2(cfg, authz_parse_exact_section,
+                                 &baton, pool);
 
   *access_granted = authz_access_is_granted(baton.allow, baton.deny,
                                             required_access);
@@ -391,10 +417,12 @@
                            apr_pool_t *pool)
 {
   struct authz_lookup_baton *b = baton;
+  const char *section_name_canonical
+    = svn_path_canonicalize(section_name, pool);
 
   /* Does the section apply to the query? */
   if (section_name[0] == '/'
-      || strncmp(section_name, b->repos_path,
+      || strncmp(section_name_canonical, b->repos_path,
                  strlen(b->repos_path)) == 0)
     {
       b->allow = b->deny = svn_authz_none;
=== subversion/tests/cmdline/authz_tests.py
==================================================================
--- subversion/tests/cmdline/authz_tests.py	(revision 148126)
+++ subversion/tests/cmdline/authz_tests.py	(local)
@@ -178,7 +178,7 @@
 
   write_authz_file(sbox, { "/": "* = r",
                            "/A/B": "* =",
-                           "/A/D": "* = rw",
+                           "/A/D/": "* = rw",
                            "/A/D/G": ("* = rw\n" +
                                       svntest.main.wc_author + " ="),
                            "/A/D/H": ("* = \n" +