I believe I've found a bug in subversion-1.4.4. Because I could get no
reaction on IRC I'm writing to this list instead.
When multiple user names that only differ in case appear in a subversion
config file, then only one line of this seems to take effect.
In password files for svnserve, the last entry will define the password
for all variants.
In authz-db files resp. AuthzSVNAccessFile files, only the first variant
will be granted any access.
Possibly related to issue 2485 although that's about case in repository
names, not in user names.
Steps to reproduce (not numbered so you can copy them to your shell):
svnadmin create test
cat > test/conf/svnserve.conf <<SVNSERVE
password-db = passwd
anon-access = none
authz-db = authz
realm = Test this Bug
cat > test/conf/passwd <<PASSWD
foo = foo
Foo = bar
cat > test/conf/authz <<AUTHZ
foo = r
Foo = r
svnserve --daemon -r $PWD --pid-file svnserve.pid \
--listen-host 127.0.0.1 --listen-port 12345
svn co --username foo --password foo --no-auth-cache \
--non-interactive svn://127.0.0.1:12345/test foo
svn co --username Foo --password bar --no-auth-cache \
--non-interactive svn://127.0.0.1:12345/test bar
svn co --username foo --password bar --no-auth-cache \
--non-interactive svn://127.0.0.1:12345/test baz
rm -rf svnbug
1. --username foo --password foo:
svn: Authentication error from server: Password incorrect
2. --username Foo --password bar:
svn: Authorization failed
3. --username foo --password bar:
Checked out revision 0.
Probably config files are parsed into some associative structure
ignoring case for the keys. Password lookup seems to be done case
insensitive. Authz checking however seems to take case into account;
however with multiple lines differing only in case the first such line
seems to define the case of all stored entries.
The problem with multiple lines in the authz files is reproducible with
mod_authz_svn in apache as well, although giving exact steps to
reproduce that would take a bit longer.
In case you can't change the way config files are parsed, for
consistency's sake you should probably say that user names are always
compared case-insensitive, and have the authz stuff follow that line.
This might break some rare scenarios where different users (due to
Apache doing the authentication in a case-sensitive way) are mentioned
in different sections (otherwise the setup is broken already so there is
nothing to break) and would gain unintended access if the suggested fix
Do you agree this is a bug?
Can you reproduce it?
Do you know of any existing issue report mentioning this?
Can I file a new issue about it?
Do you have an opinion about my suggested solution?
Martin von Gagern
Received on Wed Aug 1 17:16:23 2007