[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: Authz inconsistency in svn_repos_get_logs()

From: Vlad Georgescu <vgeorgescu_at_gmail.com>
Date: 2007-10-16 23:05:32 CEST

Vlad Georgescu wrote:
> While working on issue #2712, I noticed that if you run 'svn log' on the
> root of a repository, svn_repos_get_logs4() won't check the authz rules,
> but if you run 'svn log' on a path below the root or on multiple paths,
> the checks will be made and you'll get an error if you don't have
> permission to read that path.

By the way, this isn't a security problem, because we do
another round of authz checks later (in libsvn_repos/log.c:
detect_changed()) to determine what information to send back, so the
user never sees stuff he isn't supposed to.

The checks I'm talking about are in get_path_histories() and will simply
deny you access completely. The inconsistency is that we don't make
that check for the root of the repository, because it is handled by
svn_repos_get_logs() directly.

-- 
Vlad
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Received on Tue Oct 16 23:09:50 2007

This is an archived mail posted to the Subversion Dev mailing list.