[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: Bug: webdav ignores resticted folder underneath public root

From: Freek Dijkstra <public_at_macfreek.nl>
Date: 2007-07-11 17:36:49 CEST

Dave, it is not related to #2712. The issue described be me and Michael
only occurs if:
- the root folder is anonymously accessible
- a subfolder has restricted access
- HTTP or HTTPS is used as the transport protocol

C. Michael Pilato wrote:

> Here's a blog post that I think is ultimately related to this topic:
> http://blogs.open.collab.net/svn/2007/03/authz_and_anon_.html

Thanks! Very useful, clear explanation!

I used the last option mentioned (two URLs with the same repository),
but we recently moved servers, and the sysadmin liked to integrate them
"because that's possible, after all". Then the headache started ;-). I
finally asked him to simply close anonymous access, essentially using
the first option mentioned.

However, you make it sound like a solution can not exist. That is not
true. Let me give you two solutions:

First, one statement in the blog is not entrally correct:

> And you can't force Subversion to transmit authentication credentials
> when Apache hasn't asked for them.

Well, you can not for HTTP Digest authentication, but you most certainly
can for HTTP Basic authentication.

% telnet www.example.org 80
REPORT /svn/myrepos/!svn/vcc/default HTTP/1.1
Host: www.example.org
Connection: TE
TE: trailers
Authorization: Basic YXVzZXI6c2VjcmV0=
Content-Length: 212
Content-Type: text/xml

<S:update-report send-all="false"
xmlns:S="svn:"><S:src-path>http://www.example.com/svn/myrepos</S:src-path><S:target-revision>1</S:target-revision><S:entry
rev="1" start-empty="true"></S:entry></S:update-report>

And you DO get the restricted access folder:
[...]
<S:add-directory name="restrictedsubfolder"
bc-url="/svn/myrepos/!svn/bc/1/restrictedsubfolder">
<D:checked-in><D:href>/svn/myrepos/!svn/ver/1/restrictedsubfolder</D:href></D:checked-in>
[...]

However, I'm the first to admit that this is, or should be, an
non-solution since HTTP Basic authentication is has no encryption and
should not be used. And you are right that with HTTP Digest
authentication, subversion *CAN NOT* send authentication credentials,
since Apache does not give a challenge key.

However, *if* subversion encounters a statement in the report saying
    <S:absent-directory name="restrictedsubfolder"/>
while it was not able to present the proper authentication credentials,
even though the user presented that on the command line, then it will
surely be able to deduce that the reason that folder was sent was
becuase it was restricted. In that case, it can simply continue to
retrieve /svn/myrepos/restrictedsubfolder/ after it fetched /svn/myrepos/!

I think that is a non-trivial, but viable option to solve this bug.
Perhaps a smart developer can even come up with a better solution.

Regards,
Freek Dijkstra

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Received on Wed Jul 11 17:36:24 2007

This is an archived mail posted to the Subversion Dev mailing list.